2017 Cyber Risk Landscape

2017 Cyber Risk Landscape

2017 Cyber Risk Landscape

Foreword by Hemant Shah...... 4 Overview ...... 5 Section 2: Cyber Risk Landscape ...... 7 Data Exfiltration ...... 10 Financial Theft ...... 15 Cloud Service Provider Failure ...... 18 Denial of Service Attacks ...... 19 Cyber Extortion ...... 22 CAMS Version 1.0 Scenarios ...... 25 Section 3: Silent Cyber Insurance Exposure ...... 27 Operation Technology (OT) Attacks ...... 27 Smart Devices and the Internet of Things ...... 28 How Can Cyber Attacks Cause Physical Damages? ...... 28 Cyber-Physical Attack Scenarios in RMS CAMS Version 2.0 ...... 29 Scenarios Added in CAMS Version 2.0 ...... 31 Section 4: What’s New in RMS CAMS Version 2.0 ...... 33 Updates of Affirmative Cyber Insurance Accumulation Scenarios ...... 33 Expected Loss Baselines ...... 34 Cyber-Physical Attack Scenarios ...... 34 Improvements in Functionality ...... 34 Section 5: Cyber Insurance Market Update ...... 36 Rapid Growth ...... 36 Market Participants ...... 36 Available Insurance Coverage ...... 37 Cyber Risk Management Practices ...... 37 Insurance Regulations ...... 39 The RMS Commitment to the Future ...... 40 Foreword

The past year has seen unprecedented changes in the cyber risk landscape.

When we at RMS first launched our Cyber Accumulation Management System (CAMS) in February 2016, we provided a new data standard, analytical framework, and a functional platform for our insurance clients to manage this emergent risk.

We have been delighted with the take-up of this solution across the market. And, we continue to innovate to improve your understanding of this dynamic risk so you can approach new opportunities prudently and with confidence in your accumulations. With the release of RMS CAMS Version 2.0, we have enhanced our solution to widen its scope and to reflect the most recent data and trends in the domain.

Recent events have demonstrated just how dynamic the world of cyber risk can be. Records for the most severe incidents have been broken for many of the loss processes we model – the largest volumes of data modeling cyber exfiltrated from companies, the most intense denial of service attacks, the biggest financial theft attempts. Unprecedented numbers of risk is core to our zero-day exploits became freely available to cyber criminals. Systemic cyber heists were carried out on dozens of banks through ingenious mission to create a corruption of their networks of trust. Cyber risk has become politicized. Regulatory and legal frameworks are changing across the world. more resilient and Our initial accumulation scenarios anticipated several of these trends and potential surges, and we are committed to remaining up to date with the trends and changes in this volatile risk landscape. sustainable global This report summarizes the rapidly changing world of cyber risk, and society describes how our analysts and modelers view the current and future risk.

Modeling cyber risk is core to our mission to create a more resilient and sustainable global society by enabling industry solutions to cover the risk responsibly. RMS is committed to investing in world- class cyber risk analytics, working together with industry-leading partners to develop the innovative solutions expected by our clients. We are committed to contributing to the development of a successful cyber insurance market.

HEMANT SHAH Co-Founder and CEO Risk Management Solutions

PAGE 4 Overview We are in a period where the cyber risk landscape is rapidly changing. Writing cyber insurance means anticipating emerging trends in this landscape. We are seeing new records set for the scale of cyber incidents, escalation in the costs of events, changes in technologies ­– both offensive and defensive – and shifts in target preferences, activities, and protagonists.

To respond to these changes, the cyber insurance industry is evolving dynamically both in the coverage offered and the risk management practices employed.

In February 2016, RMS released the Cyber Accumulation Management System (CAMS).1 This has been well received and has been adopted across the industry in a short space of time. RMS has built-out a research and development team that continues to monitor and update its view of risk, and to release new versions of the platform that incorporate these views and improved functionality.

The release of CAMS Version 2.0 marks a major enhancement in the management of cyber risk. It extends accumulation management to “silent” cyber exposure, introducing cyber-physical attack scenarios on operational technology (OT). This is where cyber is the proximate cause for physical damage and consequential loss in other lines of insurance business, such as fires in commercial buildings, explosions in petrochemical facilities, and attacks against marine shipping. Cyber-physical attacks have become a genuine cause of concern in recent years, underscored by the December 2015 cyber-attack on the Ukrainian power grid.

CAMS Version 2.0 also provides an opportunity to update the RMS affirmative IT cyber accumulation scenarios for each loss process, to reflect the changing cyber risk landscape. At the initial launch of RMS CAMS in early 2016, the industry was still debating whether cyber actually posed any systemic threat of correlated loss across multiple accounts. Several events during the year have confirmed that systemic threat convincingly, including the ShadowBrokers making “zero-day” firewall exploits widely available; the Lazarus SWIFT cyber-heists hitting large numbers of banks, and the rapid growth of cloud services putting increasing numbers of companies at risk from failure of a provider.

RMS has updated the CAMS scenarios to reflect the latest trends in cyber risk and provides new recommendations for accumulation stress tests, cost models, and loss footprints to protect portfolios of cyber insurance exposure in the evolving world of cyber risk.

This report provides an update on the cyber insurance market and sets out the landscape of cyber risk in 2017.

1 CCRS, 2016a.

PAGE 5

2017 Cyber Risk Landscape

SECTION 2 Cyber Risk Landscape

Cyber risk is a relatively young phenomenon and is evolving rapidly. The magnitude of known attacks, dissemination of new technologies, compromised IT infrastructures, and security measures put in place to protect against attacks are advancing dynamically. Many of the key assumptions and the understanding on which RMS bases the principles of cyber insurance risk management are subject to significant change, such as fundamental computer science, attack vectors, system vulnerabilities, defenses, and capabilities of the protagonists.

Cyber Threat: Increasingly Professional, International, This situation may change with the reorganization of law and Political enforcement to provide specialist cyber investigation units, the improvement of international extradition cooperation Cyber hacking continues to become increasingly and a willingness to pursue cybercriminals abroad, the professional and international, with growing political empowerment of national security cyber units to pursue dimensions. Amateur hackers and “hacktivists” are still offensive cyber operations against criminals in foreign active, but much of the threat to corporate business jurisdictions, and changes in legal prosecution procedures comes from well-resourced criminal gangs that have including evidence of harm. Progress is being made in each professionalized their hacking activities. Much of this of these arenas and, over time, it is expected to increase the activity is organized and hosted from countries beyond the conviction rate which will be the main control system for jurisdiction of Western law enforcement. The cybercriminal deterring cybercrime. economy is informal, collaborative, and mercenary. Organized gangs can buy the resources, skills, and tools Rapid Growth in Security Investment by Companies to perpetrate cybercrime in a thriving black market. Stolen Many companies are investing heavily in their own information can be sold and the proceeds of cybercrime cybersecurity systems to protect their assets. Global laundered through a sophisticated gray economy. expenditure on cybersecurity is estimated to have grown Law Enforcement Lags Behind 14 percent year-on-year, from US$75 billion in 2015, to $86 billion in 2016.5 On average, U.S. companies now Cybercrime is still met with little deterrence, with extremely spend around three percent of their capital expenditure low conviction rates for perpetrators. Cybercrime statistics budget on cybersecurity.6 Projections suggest that global published in the U.S. by the FBI in 2015 show that less than cybersecurity expenditure will continue to grow rapidly and 1 in 200 reported cases of cyber identity theft resulted will reach hundreds of billions of dollars annually by the end in a criminal case being brought, and only 1 in 50,000 of the decade. resulted in a conviction.2 In contrast, armed robbery in the U.S. results in conviction rates of 1 in 5.3 Convicted The type of expenditure is also shifting. Traditional purchases cybercriminals face low deterrence as judges struggle to of hardware IT security components, such as servers, determine reasonable punishments.4 networking gear, data centers, and physical infrastructure, are being augmented by broader security solutions, such as personnel training, non-computer platforms, and Internet 2 FBI IC3, 2015 Internet Crime Report. 7 3 Grimes, 2012. of Things (IoT) security. The cybersecurity industry is 4 Williams, 2016. becoming more competitive, with many start-ups and a 5 Cyber Security Ventures, Cybersecurity Market Report Q4 2016. 6 Pacific Crest Analyst, Rob Ownes, quoted inInvestor's Business Daily News, 6/10/16. proliferation of security-tech offerings taking an increased 7 Cyber Security Ventures, Cybersecurity Market Report Q4 2016.

PAGE 7 Cyber Risk Landscape

finds COMELEC chairman Andres Bautista liable for the March 2016 data breach of the poll body’s voters’ Cybercrime is still met database” and affected individuals may file suit against him.11 with little deterrence, • “John Doe,” the anonymous person who leaked the Panama Papers in April 2016 (see page 12) detailing with extremely low the tax records of wealthy individuals, cited income conviction rates for inequality as the reasons for his actions.12 • One of the most controversial cyber incidents was perpetrators. the leaking of emails from the Democratic National Committee during the U.S. presidential election, later concluded by the U.S. Intelligence Community to have been instigated by Russian hackers authorized share of corporate security expenditure, squeezing the by the Kremlin to influence the election.13 earnings and valuations of the industry leaders in the Political motivation – particularly protest and hacktivism – cybersecurity sector.8 has been a longstanding characteristic of cyber risk, but The increased level of security expenditure and management recent developments suggest that this is becoming more focus on cyber protection is apparently reducing the mainstream and increasingly involving well-resourced cyber incidence of successful cyber attacks and losses, most threat groups. noticeably on the frequency of smaller data breach events and accidental losses from staff. But this is countered State-sponsored Cyber-Attacks on Insureds by increases in scale and ambition of malicious and State-sponsored cyber teams are becoming more active, professional data exfiltration attacks, leading to an increase more visible, and a more significant feature of the in the overall risk. commercial risk landscape for cyber, and of the geopolitical risk landscape more generally. RMS interprets the growing levels of cybersecurity being implemented by larger companies as making it harder for More than 20 countries have national cyber teams as an amateur attacks to succeed, and raising the bar of effort, adjunct of their military capability, at least six of which “logistical burden,” and skill levels needed for a cyber-attack analysts consider “advanced.”14 Several “cyber-capable” to succeed. Determined and well-resourced attackers will countries are potential adversaries of the United States still find ways through security defenses. and other Western powers, including Russia, China, North Korea, and Iran. Cyber incursions by foreign powers into Cyber-leaks Becoming Increasingly Political each other’s institutions have occurred for many years, but A characteristic of some of the most recent large-scale typically these have been restricted to areas of espionage, data exfiltration attacks has been the motivation of the military and government facilities, and non-damaging attackers, which is increasingly political rather than financial activities. in nature. This has been dubbed “Leaktivism” by some Recent developments have seen suspected attacks by members of the media. Examples include: state-sponsored cyber teams cause losses to private sector • One of the largest data leaks involved the breach commerce. Examples include: of a 50 million citizen database from the Turkish • 2014 attack on Sony, alleged by U.S. intelligence government in March 2016, apparently by hacktivists officials of being sponsored by North Korea. protesting against President Recep Tayyip Erdoğan.9 • Destructive attacks on civil aviation computers in • A similar breach was perpetrated against the Saudi Arabia in November 2016, similar to the 2012 Philippines’ Commission on Elections (COMELEC), Aramco oil company attack, both blamed on Iran’s leaking 55 million voter details including fingerprint cyber army. records, posted with anti-government slogans.10 “The decision of the National Privacy Commission (NPC) • Allegations that North Korean cyber teams were implicated in the theft of millions of dollars from over 8 Investor’s Business Daily News, 6/10/2016, ‘Security Freeze’. a dozen banks in the SWIFT cyber heist. 9 Murdock 2016. 10 Temperton 2016. 11 Ronda, 2017. • Spear-phishing attacks for data breaches on U.S. 12 Gupta, 2016. corporations being blamed by the FBI on Russian 13 Entous and Nakashima 2016. 14 Lewis 2012, Centre for Strategic and International Studies. government-backed “Cozy Bear” perpetrators.

PAGE 58 2017 Cyber Risk Landscape

ShadowBrokers Release a Cyber Arsenal

On August 13, 2016, a previously further message from ShadowBrokers scrambled in the following weeks to unknown group called the claimed that the auction had been produce emergency security patches “ShadowBrokers” released a showcase called off, and leaked a further 300 files and preventative measures against folder and offered an encrypted folder of IP addresses purportedly revealing these exploits. for sale to the highest Bitcoin bidder. NSA targeting and routing.16 The proposed RMS “Leakomania” The showcase folder, made publicly The released showcase folder accumulation scenario for data available, contained a set of cyber- contained 15 exploits, 13 implants, and exfiltration is based on the hacking weapons obtained from 11 tools, most notably several “zero-day” simultaneous availability of multiple “Equation Group,” an elite United States exploits to penetrate industry standard “zero-day” exploits enabling a sudden National Security Agency (NSA) cyber- firewalls such as Cisco ASA, Fortinet increase in data exfiltration. The hacking team.15 FortiGate, and Juniper SRX, along with ShadowBrokers episode demonstrated It is widely assumed that these high- other corporate penetration tools.17 The how these exploits are hoarded quality cyber tools were obtained from public release meant that unscrupulous and traded by cyber criminals, and the NSA, and that the ShadowBrokers hackers could use these tools to access exhibited the potential for clusters of had either hacked the NSA and stole the networks of the many companies them to trigger a systemic wave of their tools, or an NSA insider had running these firewalls. Firewall cyber losses. leaked the content. In October 2016, a vendors and corporate security teams

15 Greenberg, 2016. 16 Fox-Brewster, 2016. 17 CERT, 2016.

PAGE 9 Cyber Risk Landscape

• Factories in Ukraine that suffered power outages around the world. Terrorism insurance is treated as because of attacks on the Ukrainian power grid, specialist coverage in many countries, and is typically alleged to have been carried out by Russian included in government pools or has some level of cyber units.18 government backstop. In the U.S., insurers are required to offer terrorism coverage, and it is automatically included in Good Guys Go on the Offensive workers compensation coverage. Governments across the world are stepping up their The U.S. Terrorism Risk Insurance Program Reauthorization cyber-offensive capabilities, significantly raising the Act 2015 (TRIPRA 2015 or TRIA) backstop does not potential for escalation of interstate cyber conflicts. explicitly cover cyber, and the introduction of a backstop The ShadowBrokers leak revealed NSA Equation Group's has been the subject of debate for several years.22 The aggressive targeting and intrusive activities.19 The U.K. ambiguity over the level of protection that TRIA provides is government established a new National Cyber Security a key driver towards the development of a bespoke Center in March 2016. In addition to its role in facilitating industry-provided cybersecurity market. security, it has a mandate to move to “active cyber defense” – i.e., to hack back against attackers.20 In April 2016, the Changes in Extreme Cyber Tail-Risk German government announced a new cyber and The most obvious changes in cyber risk have occurred information command in the German military Bundeswehr, at the extreme tail. In the past year, the scale of attacks controversially including a cyber-attack capability.21 National has consistently exceeded the largest attacks previously security organizations in several advanced economies have observed – typically by an order of magnitude. For ramped up their cybersecurity and counter-cyber activities. example, at the start of 2016, the largest data exfiltration Is Cyber Insurable if Cyber Wars Intensify? events involved hundreds of millions of records. By the end of 2016, events of over a billion (Yahoo!) terabytes of The debate about the insurability of commercial cyber financial data (Mossack Fonseca) had been exfiltrated. losses originating from state-sponsored cyber groups is Denial of Service attacks had previously been recorded with intensifying. A potential increase in cyber warfare activity intensities as high as 600 gigabits per second (Gbps), but would have significant implications for cyber insurers who by the end of 2016, the Dyn event (page 21) was of an order pay claims to private sector companies caught up in any of magnitude more intense – several terabits per second international clandestine cyberwar cross-fire. Attribution – enabled by new techniques that utilized the Internet of of attacks is extremely difficult, so it is challenging for Things (IoT) for volumetric attacks. Previous financial cyber cyber insurers to differentiate between criminal and thefts of tens of millions of dollars were eclipsed by an state-sponsored losses. The risk appetite for insurance attempt to steal a billion dollars in a cyber heist involving companies to cover cyber loss is unlikely to be sustainable a compromise of the SWIFT financial transaction system. if losses from state-sponsored attacks become a significant The pattern of increasingly large extreme events is being proportion of the risk. The resources of state-sponsored repeated in many of the loss processes of cyber risk. cyber teams pose a threat of major systemic loss across thousands of insured accounts. Additionally, we are seeing more cyber-attacks in which multiple companies are impacted in one single event. The Terrorism and Cyber Loss Dyn distributed denial of service (DDoS) attack affected Assessments of the capabilities of proscribed terrorist web-based services at hundreds of companies, including groups suggest that they do not currently possess Amazon, Netflix, Airbnb, Spotify, and PayPal. The Ukraine destructive cyber capability, although some groups, such cyber-grid attack caused power outage to many companies. as the United Cyber Caliphate arm of Islamic State, are The following sections highlight the changing trends in known to be actively pursuing the strategic increase of their several key IT loss processes. offensive cyber capabilities.

Destructive acts of cyber terrorism could face similar 2.1 Data Exfiltration ambiguity in attribution, but mechanisms for determination have been proposed. Cyber terrorism has become a Data exfiltration continues to be the predominant cause growing topic of concern for terrorism insurance pools of insured cyber loss, with many instances of individual companies suffering from data leaks. Companies are at risk of larger data losses; the risk of data exfiltration loss is increasing in severity. 18 ICS-CERT, 2016, and Zetter, 2016. 19 Fox-Brewster, 2016. 20 The Register, 2016. Over the last 18 months, RMS has built out its cyber 21 ORF, 2016. incident database of historical data exfiltration events. 22 For more information on TRIA visit the U.S. Department of Treasury website.

PAGE 10 2017 Cyber Risk Landscape

Table 1: Selected Large Data Breach Events Reported in 2016

Organization No. of Date of Cause Jurisdiction Business Data Records Lost Breach Sector Breach Severity

Mossack Fonseca 2.6 terabytes 3/1/2016 Malicious Insider Panama Financial Services P8 Yahoo! 1,000,000,000 2013, reported Malicious Outsider United States IT Services P8 Dec. 2016 Yahoo! 500,000,000 2014, reported Malicious United States IT Services P8 Aug. 2016 Outsider Myspace.com 360,000,000 2016 TBD United States IT Services P8 Yahoo! 200,000,000 2016 TBD United States IT Services P8 U.S. Voter/Amazon/ 154,000,000 06/22/16 Accidental Loss United States Government P8 Google Mexican Voters 93,400,000 04/14/16 Accidental Loss Mexico Government P7 Philippines' Commission 55,000,000 03/28/16 Malicious Philippines Government P7 on Elections (COMELEC) Outsider Turkey General 50,000,000 03/28/16 Malicious Outsider Turkey Government P7 Directorate of Population and Citizenship Affairs Verticalscope/ 45,000,000 02/09/16 Malicious Outsider Canada Technology P7 Techsupportforum.com and others Fling 40,000,000 05/06/16 Malicious Outsider United Kingdom IT Services P7 Twitter, Inc. 32,000,000 2016 TBD United States IT Services P7 17 Media 30,000,000 04/29/16 Malicious Outsider Asia Technology P7 Mate1 27,000,000 02/16/16 Malicious Outsider United States IT Services P7 Alibaba.com 20,000,000 2016 TBD China Retail P7 U.S. Health Insurer 9,300,000 06/27/16 Malicious Outsider United States Healthcare P6 Lifeboat 7,089,395 2016 TBD United States IT Software P6 U.S. Department of 5,000,000 02/05/16 Malicious Outsider United States Government P6 Health and Human Services and others Lightspeed 5,000,000 2016 TBD United States IT Software P6 Adult Friend Finder 3,900,000 2016 TBD Unknown IT Services P6 Banner Health 3,700,000 06/17/16 Malicious Outsider United States Healthcare P6

This information is gathered from various open source compromised, first in September 2016 when it revealed data resources and has been heavily enriched by RMS data that data on 500 million users had been hacked in 2014, scientists to provide a historical picture of data exfiltration. and then again in December 2016 when it revealed a data This data is a key input into the RMS data exfiltration model breach of over one billion user accounts dating from 2013.23 and is used to parameterize incident and cost information. The Yahoo! share price dropped six-and-a-half percent after the December 2016 breach announcement, prejudicing and Record-breaking Sizes of Data ExfiltrationEvents delaying acquisition negotiations with Verizon.24 The past year has seen the largest data exfiltration events Because of these increasingly large events, the RMS ever revealed. In April 2016, the world’s largest data leak magnitude scale for data breach has been adjusted. The P8 by volume saw 2.6 terabytes of confidential tax data stolen scale is now extended to include events of more than one from Mossack Fonseca (see page 12). Yahoo! broke the billion personal records or more or a terabyte of data lost. record – twice – for the largest number of personal records

23 Finkle and Tharakan, 2016. 24 Moritz and Womack,, 2016.

PAGE 11 Cyber Insurance Update

Panama Papers Data Exfiltration

On April 3, 2016, the world’s largest countries, including U.K., France, prime minister admitted that he data leak was simultaneously published Russia, China, and India, set up benefited from shareholdings in his by 107 news organizations, consisting accounts and shell corporations in late father’s estate, named in the leak. of 2.6 terabytes of confidential tax Panama to minimize tax payments in Seventy-two heads of states were data relating to offshore accounts their own countries. named, and hundreds of high-ranking stolen from Panamanian law firm The political fallout involved the officials in national governments, Mossack Fonseca. An anonymous resignation of the prime minister of as well as wealthy individuals, their insider apparently leaked the records 26 Iceland and Spain’s minister of industry, relatives, and close associates. High- to highlight “income inequality” by and calls for the resignation of the profile celebrities named included disclosing how high-profile individuals Ukrainian president, the prime minister the estate of movie director Stanley hide income and avoid paying taxes. of Malta, and many other high-profile Kubrick, and actor Jackie Chan as a 27 The leaks reportedly covered 11.5 politicians in other countries. The U.K. shell company shareholder. million confidential documents dating from the 1970s through to late 2015. Figure 1: Map of The data included 4.8 million emails, countries impacted by Panama Papers leak. 3 million database format files, 2.2 million PDFs, 1.1 million images, and 320,000 text documents.25 It took news organizations over a year to analyze the volume of data prior to publication.

The leaked information allegedly detailed the ways that many high- profile individuals in more than 40

25 InfoSEC Institute, 2016. 26 InfoSEC Institute, 2016. 27 Palmer, 2016.

PAGE 12 2017 Cyber Risk Landscape

2007 2008 2009 2010 2011 2012 2013 2014 2015 2016

Figure 2: Incident count for all magnitude data exfiltration events from 2006 to 201628

2007 2008 2009 2010 2011 2012 2013 2014 2015 2016 2007 2008 2009 2010 2011 2012 2013 2014 2015 2016

Figure 3: Incident count for magnitude P5 (more than Figure 4: Incident count for magnitude P6 (more than a 100,000 records) and smaller million records) and larger

Overall Trend for Data Exfiltration Stabilizes improved corporate security practices, and other attack methods (e.g., extortion) competing for resources with data The RMS historical catalog of cyber data breaches shows exfiltration. a substantial increase in reported cyber data exfiltration events in the previous 10 years as shown in Figure 2 Despite the recent flattening of incident rates, data (Incident Count – All Magnitude). In 2014 and 2015, the exfiltration remains potentially systemic. A major increase almost exponential growth in attack counts has tapered off. in claims could occur with a shift in attacker resources The frequency of occurrence of all sizes of data exfiltration or availability of exploits, as described in the RMS events appears to have decreased since the peak of 2013 - "Leakomania" accumulation scenario. 2015. We will be monitoring incidences in 2017 to see if this reduction continues. Increasing Numbers of Large Magnitude Data Exfiltration Events This growth in historical reported attacks is likely caused While the overall trend of events is flattening, the RMS by two factors: first, an increase in the underlying attack catalog shows that the number of events of P6 and above rates and second, because of increased reporting. The – i.e., data exfiltration of more than one million personal cause for the plateau is likely to be a combination of records – has grown substantially in the years prior to 2016 for the U.S.

28 RMS Cyber Incident Database.

PAGE 13 Cyber Risk Landscape

One possible explanation is that professional criminals are Data Breach by Business Sector concentrating their efforts on obtaining larger datasets The recent incidents of data loss in different business where they can get a bigger return. sectors remains consistent with the previous five years of Fewer Small Data Breaches relativities, with a few notable differences. There has been an increase in data breach incidences in the retail, IT services, At the other end of the spectrum, there is a measurable and manufacturing sectors that has continued into 2016. reduction in the incidences of smaller data breaches, as routine security measures prevent the accidental loss of There has been a significant reduction in data breaches data by employees that caused many of the small loss from financial services companies – their incident rates incidents in the past. The number of incidents of accidental are down in 2015 and 2016, compared to previous periods data loss of P5 or smaller (100,000 records) was at its of breach records, reflecting the investment in security lowest at any point in the past five-year average. and data protection that is being made in this sector. Healthcare, despite some newsworthy events, has also Data Loss is Increasingly Caused by External Attackers seen a drop in the number of incidents – but this is During 2016, the main cause of data breaches and losses counterbalanced by the fact that healthcare has seen a was predominantly shown to be malicious interference significant increase in extortion incidents. from outside actors, rather than insider or whistleblower A notable feature of recent data breaches has been the leaks. This continues the recent pattern observed over repeated targeting of adult social sites, such as Fling, Mate1, recent years. As proposed in the RMS “Data Exfiltration” and Ashley Madison, where criminals can add blackmail to accumulation stress test scenario, malicious outsiders pose their earning potential from the stolen data. more of a systemic threat than either accidental loss or insider leaks. Data exfiltration scenarios now explore more Costs of Data Loss potential vectors for malicious outsiders to impact multiple Since 2010, the average cost per record of a data loss of companies in different attack patterns, sectors, and over 100,000 records has more than doubled.29 This reflects targeting preferences. increasing regulatory fines and procedures, growing costs

Type of Attack

100%

90%

80%

70% Partner 60% Internal

50% Collusion

External 40%

30%

20%

10%

0% 2010 2011 2012 2013 2014 2015

Figure 5: Percent of breaches per threat actor category over time30

29 RMS Cyber Incident Database. 30 Verizon 2016 Data Breach Investigations Report.

PAGE 14 2017 Cyber Risk Landscape

Data Privacy Regulation Layer

Strong Regulation

Moderate Regulation

Limited Regulation

No Regulation

Figure 4: Data breach of privacy regulation heatmap31

of compensation, and escalation of legal complexities Implication for RMS Modeling in dealing with identity loss. Projecting forward for 2017, This shift in the pattern of data breach sizes – increased a further inflation of costs by 15 to 25 percent could be targeting of larger data sets and reductions in the incidence expected. rate of small data breaches – is represented in the release of Data Exfiltration Risk is Increasingly International the “Leakomania” data exfiltration accumulation stress test scenarios in CAMS Version 2.0, with adjusted frequency- Although the U.S. remains a major source of data breach severity distributions of sizes of data leaks and the addition loss, sizeable data loss events were reported in many of a risk potential for companies in some sectors to suffer other countries in 2016. It is becoming common practice data breaches of over a billion records. for responsible large companies in many countries to publicly disclose a data breach and to notify the individuals The recent trends of relativities across business sectors of affected, although mandatory reporting requirements in data breach incidences is reflected in the CAMS Version 2.0 many countries is still some way behind the United States. release of data exfiltration accumulation stress test scenarios. Statutes are currently in preparation to require mandatory The relative risk levels of cyber data exfiltration loss remain reporting of data breaches in many countries, including the consistent with the country risk parameterizations for European Union (EU) and several other countries that are frequency and cost modeling in Version 1.0, with minor 32 developing markets for cyber insurance. The EU General changes in RMS CAMS Version 2.0. Data Protection Regulation (GDPR) will require notification within 72 hours from when a breach is discovered with maximum fines of four percent of annual global turnover or 2.2 Financial Theft €20 million, whichever is greater.33 Financial theft has continued to be a major source of Costs of data breaches to companies in other countries are cyber attacks and cyber-enabled fraud. The most broadly similar to those in the United States, although when common manifestation of financial theft is credit card tort actions are brought, these make U.S. data breaches misappropriation. Some of the recent higher-profile credit more expensive than in other countries. card misappropriations have involved hotel chains, with the

31 Based on data from Forrester Research Data Privacy Map 2015 and DLA Piper, 2017. 32 Forrester Research Data Privacy Map 2015 and DLA Piper, 2017. 33 European Commission General Data Protection Directive.

PAGE 15 Cyber Risk Landscape

Mandarin Oriental34, Hilton35, and Starwood36 hotel chains Financial Transaction Theft each hit in separate theft campaigns involving data The source of systemic tail-risk from cyber attack in the harvesting from their point-of-sale systems. Point-of-sale financial services sector is the penetration of banks internal systems remain targets, particularly with legacy systems systems and the transaction systems that link with them. that are slow to be updated and widely distributed. There have been recent individual cyber bank robberies; in The growing use of chip and pin (EMV) credit cards is November 2016, Tesco Bank in the U.K. lost US$2.5 million reducing theft levels in many countries. Barclays attributes from 9,000 accounts, showing that online banking systems EMV technology for reducing credit card-related thefts are still vulnerable.40 Several new types of point-of-sale and in the U.K. by 70 percent since its introduction in 2003.37 ATM malware were discovered in 2016.41 EMV now has an 81 percent adoption rate in Europe and A truly systemic cyber bank heist involving many banks is in use in Australia, Russia, and several other countries. occurred in 2016, with the Lazarus SWIFT campaign (page However, EMV uptake in the U.S. is slow, resulting in higher 17). This campaign appears to have successfully stolen credit card misappropriation levels than in countries where hundreds of millions of dollars, and to have narrowly failed this is standard. In 2015, Barclays noted that although to secure a transfer request for one billion dollars. Dozens the U.S. accounts for 24 percent of total credit card of banks were compromised across several different transactions worldwide, it represents 47 percent of global countries by a sophisticated and well-resourced cyber credit card fraud.38 hacking gang. Investigators have found similarities in the Shift of Liability for Credit Card Thefts to Non-EMV malware computer code with previous malware attributed Retailers to North Korean cyber teams. The scale of the operation was considerable, involving local bank infiltration activities In 2016, Visa, Mastercard, and Europay credit card in at least seven countries, the creation of a sophisticated companies introduced new rules requiring retailers in suite of malware with many tricks to disguise its presence, Europe to upgrade their point-of-sale systems to EMV and and an untraceable central monitoring system to gather – importantly – requiring retailers to bear the liability for data transmitted from the malware. The plot was also fraudulent card transactions if they do not do so. This move notable for the sophistication of the money laundering could potentially result in increased or shifted exposure operations put in place to prevent the funds from being for insurance companies with retail cyber insurance recovered once the transaction compromise was discovered. policyholders if their coverage includes liabilities that were previously indemnified by the credit card companies. This Networks of Trust has the potential to create a new route for systemic loss for The key feature of this criminal gang was its ability to break cyber insurers, where many retailers suffer theft losses from into a network of trust used for financial transactions and non-EMV point-of-sale system cyber compromise that is then to use legitimate authentication protocols to syphon not indemnified by the credit card companies. money out of the system. Because of this change, RMS strongly recommends that The accumulation management of cyber insurance coverage in the CAMS cyber exposure data schema, insurers should for financial theft loss requires identification of these networks ensure they capture data in the “Financial Loss Potential: of trust as key potential sources of future correlation of loss Named Payment System Provider(s)”39 field for retail between numbers of financial services companies. insureds specifically for EMV compliance. The ability to report on this will become increasingly more important Research is ongoing to map these networks of trust as over time, especially for those in Europe who could variants of potential financial transaction cyber compromise otherwise potentially face liabilities from future credit card scenarios, including: thefts, deferred from the credit card companies who have Consumer financial transaction systems, point-of- previously held this risk. • sale systems, online payment processing, credit and debit card purchasing and reconciliation systems, electronic funds transfers, and check clearing • Interbank payment and lending systems, clearing houses, debit and credit systems, wire networks, 34 ComputerWeekly, 2015. 45 hotels of Mandarin Oriental hotel chain reported compromised. settlement and reconciliation systems, credit transfer 35 ComputerWeekly, 2016. systems, and loan management 36 Starwood, 2016. 37 Security, 2015. 38 Security, 2015. • Currency exchanges: foreign currency payment, 39 Cyber Insurance Exposure Data Schema Version 1.0; See CCRS (2016a). settlement, and clearing exchanges, forex currency 40 Guardian, 2016. 41 Emm, Unuchek and Kruglov, 2016. trading systems

PAGE 16 2017 Cyber Risk Landscape

Lazarus SWIFT Financial Theft: The Billion Dollar Cyber Heist That Nearly Succeeded

In 2016, the SWIFT interbank financial infiltrating their malicious software At one point, the gang issued 30 transaction system was hit repeatedly, onto the SWIFT transaction servers. transfer requests totaling $951 million using specially-crafted software from Banks were reported compromised in to be withdrawn from the Bangladesh a criminal gang called the “Lazarus Ukraine, Bangladesh, the Philippines, National Bank account with the U.S. Group.”42 The software provided a Ecuador, Vietnam, and potentially other Federal Reserve. Security alerts, sophisticated method of enabling the Southeast Asian countries.43 including reported typo errors in the criminals to gather information on requests and triggering flags on money Over a period of months these banks standard practices and send fraudulent laundering blacklists, blocked $850 requested other banks, including requests through the SWIFT system million of the transfers.45 the U.S. Federal Reserve, to transfer for financial transfers disguised as funds via the SWIFT system with fully The discovery of the attempted billion- legitimate transactions, from software credentialed authentication protocols. dollar heist has resulted in a radical that had been infiltrated into a The money was then diverted through overhaul of the SWIFT system and new number of banks with many layers of laundering operations, including casinos security systems put into place. subterfuge to prevent discovery. The in the Philippines and cover accounts fraud was combined with a complex The RMS accumulation management in Sri Lanka and Hong Kong. The full money laundering process that stress test scenario “Financial extent of the operation and the total obscured the proceeds of the theft Transaction Interference Scenario” amount stolen remain undisclosed, from investigators. includes many of the features that were but reports include US$81 million seen in the Lazarus SWIFT campaign, To break into the trusted SWIFT unrecovered from Bangladesh National particularly the multimillion dollar network, the gang found lower- Bank, a $10 million loss from a Ukrainian thefts from dozens of banks in trusted security banks in many different bank, a bank in Ecuador with a $12 financial transaction networks. countries around the world and million loss, and a dozen more potential found a variety of ways of secretly losses to Southeast Asian banks.44

42 Symantec Security Response, 2016. 43 van der Walt, 2016. 44 Riley and Katz, 2016 and van der Walt, 2016. 45 Zetter, 2016.

PAGE 17 Cyber Risk Landscape

The accumulation scenario, in which many financial services companies incur theft losses from a campaign of a criminal The potential is evidently gang compromising a network of trust, has been increased in severity to reflect the fact that the Lazarus SWIFT growing for high-intensity campaign came close to replicating the scenario released in Version 1.0.

attacks to be sustained The increasing levels of security in financial services enterprises means that cyber theft events should become for very long durations less likely, but the extreme case of many severe losses from and to exceed the eight- within a network of trust remains an important stress test for insurers to run on their financial services accounts. hour threshold to cause significant insurance loss. 2.3 Cloud Service Provider Failure The market for cloud services has grown by 53 percent since last year.49 Major companies are making cloud services more of a central part of their business operations and migrating more services to the cloud. If a cloud service • Investment trading systems and exchanges, bourses, provider (CSP) were to interrupt its service, business electronic trading systems and platforms, stock operations in many companies would be impacted more market data systems; automated trading systems, significantly than they would have been just a year ago. investment bank exchanges This represents a major increase in exposure to any potential failure of cloud service providers in cyber- High Standards of Cybersecurity in Financial Companies affirmative IT insurance portfolios. Banks and financial service companies are fully aware of Increased Concentration Risk in Big Four CSPs their susceptibility to attempted hacks and are leaders in the implementation of security systems and measures for There is also an increasing concentration of risk in the preventing cyber theft. Expenditure on cybersecurity by “Big 4” CSPs: Amazon Web Services, Microsoft, IBM, and banks has been high profile and extensive; the banking Google. The “Big Four” CSPs have grown by a combined 68 industry is the single largest sector of cybersecurity year-on-year percent, and have significantly increased their expenditure.46 Bank of America disclosed that it spent collective market share from 47 to 54 percent compared to $400 million on cybersecurity in 2015 and, in January 2016, the previous year.50 its CEO said that its cybersecurity budget was High Resilience Standards of CSPs unconstrained.47 JP Morgan Chase and Co. announced the doubling of its cybersecurity budget from $250 million The CSPs however remain resilient – their business depends in 2015 to $500 million in 2016, and reported levels of on continuity of service – and they are improving their expenditure by other banks reached record levels, reliability performance even as they grow. Analysts consider including Citibank with $300 million and Wells Fargo with the key goal of CSPs to be “five nines” – i.e., 99.999% of $250 million.48 uptime. In 2014, both Amazon and Google got close to this statistic in several of their service areas.51 In 2015, Amazon Changes in RMS Modeling of Financial Transaction improved on this even further and managed only two and Cyber Compromise a half hours of downtime across its four major services: The scale of potential losses from individual financial virtual computing, storage, content delivery network, and services institutions is clearly growing. The RMS magnitude domain name service.52 Each of the Big Four are improving scale for loss from a single company has been extended to their reliability significantly year-on-year. include FT4, representing a loss from $1 billion to $10 billion, and a representative value of $5 billion.

46 IDC Report 2016, reported in Forbes Tech, 2016. 47 Forbes, 2016. 48 Forbes, 2015. 49 Specifically Infrastructure-as-a-Service (IaaS) such as Amazon Web Services. Richman, 2017. 50 Sullivan, 2016. 51 NetworkWorld, 2015. Amazon’s EC2 achieved 99.9974% and Google Cloud Platform Storage System exceeding the five nines with 99.9996% uptime. 52 NetworkWorld, 2016.

PAGE 18 2017 Cyber Risk Landscape

Table 2: Platform Outages (IaaS) Date Example of recent cloud service Amazon Web Services (AWS) suffered a five-hour outage February 2017 outages Amazon Web Services (AWS) suffered a five-hour outage September 2015 Google cloud outage: Compute Engine down for 18 minutes every- April 2016 where, compensated its customers with 10-25% off their monthly bill

Applications Outages

Microsoft Office 365 users suffered a multiday outage January 2016 Yahoo Mail was disrupted for several days by an outage December 2013

Cloud SaaS Outages

Symantec cloud-based security services down for 24 hours April 2016

That is not to say that outages have not occurred. Table 2 it serves its U.S. customers. The regions and technical lists some examples of the more significant recent CSP structure of CSPs is constantly evolving and becoming outages. Most outages are short and only impact part of more sophisticated and diversified. For example, in early the services or individual application areas. Services are 2016, Amazon Web Services served its global customer structured into Platform as a Service (PaaS), Infrastructure base through 30 geographical “Availability Zones” in as a Service (IaaS), and Software as a Service (SaaS), and 11 regions. By early 2017, the AWS cloud infrastructure failures could potentially occur in any of these service areas. has expanded to 42 Availability Zones and 16 regions. It expects to bring another five Availability Zones and two Potential for Disruption from CSP Failure more regions online within the next year.53 The structural Cyber insurance policy retentions ensure that outages architecture of CSPs is an important factor in determining less than 12 hours are unlikely to trigger claims, but any potential outage footprints, and constrains the extent of CSP failures longer than this will be systemic and cause systemic impacts of CSP failure accumulation scenarios. multiple claims from companies that are covered against cloud provider downtime. Most companies who have a Updates to CSP Failure Accumulation Scenarios significant part of their business operations in the cloud In RMS CAMS Version 2.0, the “Cloud Service Provider have increasingly sophisticated engineering approaches to Failure” accumulation scenarios have been updated to maintain their own resilience and structuring contingency reflect the growing uptake of cloud services by insured for individual CSP failures, but there are vulnerabilities in companies. They model the latest structural architecture of these systems and these present potential for widespread the cloud service providers. The assumptions about time business interruption resulting from CSP failures. The taken to restore service to customers have been updated mechanisms for potential failures continue to be those in the light of latest examples of restoration capabilities represented in the RMS accumulation management stress following outages. Costing assumptions have been test scenarios – systemic and contagious hub and data improved from recent examples. center faults or malware, combined with complex repair and restoration paths. 2.4 Denial of Service Attacks

Changes in System Architecture of CSPs Denial of service attacks have continued to be a major Full systemic failures of cloud providers are rare but component of the cyber risk landscape. The number of possible. Most of the Big Four serve their customers attacks has increased, with businesses reporting DDoS through regional structures and individual compartments attacks up by as much as 130 percent year-on-year54 and of operation, to isolate any potential failure into a single the intensity of attacks breaking new records. compartment. The RMS scenario for CSP failure in 2015 simulated the failure of a representative CSP in the United States that loses three regions out of the five from which

53 AWS, 2017. 54 Digital Trends, 2015.

PAGE 19 Cyber Risk Landscape

Increasing Intensity of DDoS attacks 40 In the 2015 RMS review of DDoS attacks, the largest attack intensity rate observed at that time was 600 gigabits per 35 second, classified as a “Very-High Intensity DDoS.” By the end of 2016, attacks of over 1,000 gigabits per second (a 30 terabit per second) were being recorded, such as an attack on France-based hosting provider OVH in September 25 2016,57 and now attacks of that intensity are being observed several times a month.58 Attacks of this intensity require a 20 new classification of “Ultra-High Intensity DDoS Attacks.”

15 In addition to these ultra-high intensity DDoS attacks, even the “average” attack has seen a significant increase 10 in intensity. The average attack intensity increased by 60 percent between 2014 and 2015, and in 2016 increased a 5 further 70 percent to 37 gigabits per second. The significance of the intensity levels of these attacks is 0 that large commercial servers designed to deal with high 2013 2014 2015 2016 traffic volumes are resilient against attacks of low intensity, but very-high intensity and ultra-high intensity attacks can bring down even the strongest websites. It is possible Figure 5. Average DDOS attack intensity in gigabits that there are not any web servers available that are not per second55 currently vulnerable to disruption of DDoS attacks if the intensity of potential attacks continues to scale up. The Dyn attack (see page 21) is one example of an attack on a piece of Internet infrastructure called the domain name system (DNS) that connects web addresses with IP 1600 addresses, for servers hosting the web addresses.59 This type of attack has systemic impacts as many seemingly 1400 unrelated companies use this service, such as Airbnb, Netflix, and Amazon.60 1200 Internet of Things: A New Technology for DDoS Attacks 1000 The technological innovation in creating DDoS attacks has 800 helped increase the intensity of these attacks. The “Internet of Things” (IoT) has brought many devices online with low 600 security levels. An HP Fortify study found that as many as 70 percent of IoT devices are vulnerable to attacks due to 400 weak passwords, insecure web interfaces, and poor authorization, with new vulnerabilities being discovered 200 each year.61 These devices can be “enslaved” easily to create volumes of traffic to fire against a target. The Dyn 0 attack in October 2016 utilized freely distributed software 2013 2014 2015 2016 to infect online IoT devices to control their use in the attack. Until the security of online devices is improved, Ultra High DDOS Attack (1 TBPS+) these types of attacks will become more common, likely in Very High Attack (100 GBPS+) greater and greater intensities as the number of online devices proliferates.

Figure 6: Frequency of “very high” and “ultra-high” 55 Akamai 2016. DDoS attacks56 56 Akamai 2016. 57 The Hacker News, 2016. 58 Akamai, 2016. 59 Newman, 2016. 60 Woolf, 2016. 61 Rawlinson, 2014 and Constantin, 2016.

PAGE 20 Dyn DDOS Attack

On October 21, 2016 Dyn suffered two Attackers used a botnet from the The attack also had specific separate outages when hit by a massive Internet of Things (IoT), using online geographical attributes, with 18 points DDoS attack, reaching intensities of devices with low embedded security, of presence attacked in the densest 1,200 gigabits per second.62 such as printers, cameras, baby population regions of United States monitors, and residential hubs. An and parts of Western Europe (see Dyn is an Internet traffic management estimated 100,000 malicious endpoints map). Although cyber-attacks typically product managing domain name were involved in the attack. They were do not have a strong geographical system (DNS) infrastructure. Among coordinated into a botnet using Mirai footprint, this attack is notable for the its services, it provides protection malware, freely distributed software, geographic clustering of the customers to companies from DDoS attacks. It used to infect the IoT devices.64 who lost service from their various optimizes web traffic and provides providers. servers that are located geographically close to customers to enhance user Figure 7: Map of experience. Internet outages in Europe and North Because Dyn optimizes server traffic America caused by for other companies delivering web the Dyn cyber attack (as of October 21, services, many Dyn customers were 2016 1:45 p.m. PT)65 affected, including some of the largest names in web-commerce, including Amazon.com, Netflix, Airbnb, Spotify, PayPal, PlayStation Network, GitHub, and DirecTV, as well as many corporate and government web services.63

62 Ibid. 63 Woolf, 2016. 64 Ibid. 65 Source: DownDetector, Wikipedia Commons.

PAGE 21 Cyber Risk Landscape

companies have seen reductions in attacks – previously they were attacked more than media and entertainment, Very-high intensity and Internet and telecom companies. Other sectors, such as retail, education, public sector, business services, and hotel and ultra-high intensity and travel, continue to receive a significant, though smaller, proportion of all attacks. attacks can bring down Duration even the strongest The duration of attacks and the time that servers can be interrupted is a key component of potential insurance loss. of websites. The typical deductible level for cyber insurance coverage is eight hours, and most of the high-intensity attacks being observed are still well below this eight-hour threshold. The most severe DDoS attack recorded in 2016 lasted for a total of three hours at 1,200 gigabits per second.70 Long-duration Increasing Frequency of DDoS Attacks attacks of low intensity and multiple repeat attacks are more common. The potential is evidently growing for high- Sites that monitor web traffic and denial of service attacks intensity attacks to be sustained for very long durations are observing significant increases in numbers of attacks, and to exceed the eight-hour threshold to cause significant quarter-on-quarter. Akamai, for example, has detected insurance loss, but this is not yet a common characteristic increases in the number of DDoS attacks of between 15 and of DDoS attacks. 30 percent each quarter for the past year.66

Attacks are increasingly multivectored (over half in 2016), Property Business Interruption Due to DDoS Attack making them more difficult to mitigate. Attacks most A DDoS attack was responsible for the loss of control commonly originate from or are routed through servers in of a central heating system in two tower blocks in China, although attacks are directed via servers in many Lappeenranta, Finland, in an example of potential new countries, including the U.S., Turkey, Brazil, South Korea, types of attacks on connected operational technology (OT) and other territories. systems.71 This attack raises the possibility of commercial property being rendered unusable by DDoS attacks Repeat Attacks on Targets and potentially incurring insured loss if coverages are Repeat attacks on targets are a common characteristic of ambiguous. This attack is also scalable to similar building DDoS attacks. The average number of DDoS attacks per management systems, with a vulnerability in one system target is increasing, from 17 in the third quarter of 2015 to allowing hackers to cause disruption or even damage to 30 by late 2016.67 There is a wide variation in number of multiple buildings are a time. It also presages more general attacks per target, with some companies reporting many potential for loss from attacks on OT systems in industrial hundreds of repeated attacks. control systems and other areas of potential insurance exposure. Sectoral Preferences in DDoS Targeting Profiling the business sectors that experience the highest Updating of RMS Mass DDoS Scenarios number of DDOS attempts shows that the targeting The accumulation scenarios for mass DDoS in RMS CAMS has remained relatively consistent with the background Version 2.0 incorporate the current trends in DDoS attacks. relativities proposed for Version 1.68 Software and The attacks reflect the use of IoT botnets to create higher- technology companies are targeted in a quarter of attacks. intensity and longer sustained duration of attacks across Over half of all attacks are directed against gaming a broad number of commercial targets as well as including companies and their servers. Media and entertainment constraints on the total DDoS traffic the Internet can companies are the next most popular targets, followed support at a single point in time. by Internet and telecom companies.69 Financial services

2.5 Cyber Extortion

Attempts to extort major companies using cyber attacks

66 Akamai, 2016. are still relatively rare, but events are growing in frequency 67 Akamai, 2015 and Akamai, 2016. and the scope of their ambition. The issue is common in 68 Akamai, 2016. 69 Ibid. personal computing and is occasionally seen in attacks 70 York, 2016. on companies. There have been recent examples of cyber 71 Rounela, 2016, and Paul, 2016.

PAGE 22 2017 Cyber Risk Landscape

extortion demands on corporations resulting from data reportedly hit with ransomware in March 2016, leading to exfiltration, in which confidential data is threatened to be patients being turned away.76 released, and as part of denial of service attacks. These Few companies admit to being targeted by ransomware elements are likely to become more common components or paying ransom demands and so historical data is scant. of these loss processes in the future. The costs of business disruption are typically much higher Ransomware Attacks on the Rise than the ransom payments, which may constitute the most significant exposure for insurers in covering cyber extortion. The use of ransomware, where malware is infiltrated into the networks of a company and disables servers or locks- Not all companies give in to demands. A ransomware up data until a ransom is paid, has become more of a attack that froze the payment system of the San Francisco concern for cybersecurity specialists. Beazley handled four Municipal railway system, accompanied by a demand for times as many ransomware incidents in 2016 compared to $73,000 in November 2016, was dealt with by allowing 2015, and expects the rate of incidents to double in 2017.72 customers to ride for free while the system was rebuilt Advisen data also shows a marked increase in ransomware instead of paying the ransom.77 events (see Figure 7). In the past year, there have been Locky: A New Suite of Ransomware several examples of companies disabled by extortion malware attacks. The cyber extortion industry for personal computers is expanding. In addition to the families of ransomware Cyber Extortion Attacks on Hospitals cataloged last year,78 a new suite of ransomware called Notably, cyber attackers have repeatedly targeted “Locky,” has come into circulation.79 Locky is typically hospitals, with multiple facilities and clinics in the U.S., spread by email (often in an invoice requiring payment) and Germany, and elsewhere experiencing potentially life- is international in nature, presenting in several languages threatening computer systems failures accompanied with the ransom demand tailored to the country and by demands for payment to restore IT functionality.73 possibly other user characteristics. The Dridex gang is Payments in the range of thousands of dollars and tens suspected to be behind the Locky software and is thought of thousands of dollars (E1 and E2 in the scale of cyber to be responsible for several early ransomware and malware extortion levels used in RMS CAMS) have been made, packages, including a banking trojan. Analysts suspect that usually in Bitcoin. Examples include the Hollywood the Dridex gang is now well-resourced with gains from Presbyterian Medical Center in California, which paid a earlier criminal campaigns and is becoming more ambitious, $17,000 Bitcoin ransom in February 2016 for the decryption scaling up its distribution and targeting, including targeting key to unlockCyber their Ransomware patient data. Annual74 Several Incident MedStar Rates Health small and medium-sized businesses. It is possible that the hospitals and clinics in the Baltimore-Washington area were Hollywood Presbyterian Medical Center ransomware attack was the Locky payload.

Updating of RMS Extortion Spree Scenarios 200 The accumulation scenarios for Cyber Extortion originally

150 released in RMS CAMS Version 1.0 anticipated an increase in extortion incidents in commercial businesses, envisioning 100 a campaign of ransomware that could potentially impact thousands of small and medium companies, paying sizable 50 ransom amounts and suffering business disruption. The increases in cyber extortion incidents on businesses 0 reported during the past year supports this view of the 2009 2010 2011 2012 2013 2014 2015 2016 growing importance of this loss process and the need for an accumulation scenario of systemic campaigns of Figure 7. Cyber ransomware annual incidents75 extortion.

72 Beazley, 2017. 73 Beazley, 2017 and Zetter, 2016. 74 Advisen, 2017. 75 Los Angeles Times, 2016. 76 Cox, 2016. 77 The Merkle, 2016. 78 CCRS, 2016. 79 Malwarebytes Labs, 2016.

PAGE 23 Cyber Risk Landscape

The ransom payouts incorporated in the Version 1.0 scenario were drawn from previous extortion examples over the past decade, but typical ransom payouts reported over the past year have not sustained these substantial amounts. In CAMS Version 2.0, we redefine the magnitude scale of ransom payouts to match recent experience, and use this new scale to define distributions of increased incidence of these payouts across insured companies. We no longer constrain extortion incidents to small and medium-sized enterprises, and now include a low incidence for large companies. Ransom demand levels have been reduced to align with the latest trends. Business interruption consequences have been expanded to reflect recent evidence.

PAGE 24 CAMS Version 1.0 Scenarios

Financial Cyber Data Transaction Cyber Exfiltration Compromise

Three rare “zero-day” vulnerabilities A coordinated cyber heist operation provide a criminal gang with the on many financial services companies capability to scale data exfiltration to syphon funds from transactions, attacks across thousands of obtain cash from ATMs, and carry companies. Billions of confidential out insider trading using stolen data records are leaked in a few information. It is carried out on a scale months, more than the total number that is orders of magnitude larger of confidential data records leaked in than any known cyber theft to date. the past 10 years.

Cyber Extortion Denial-of-Service Attack

Hackers graduate from personal Hacktivists build the largest DDoS computer ransomware to create a capability yet seen and target it sophisticated system of encrypting at capitalist corporate websites to small and mid-sized business disrupt e-commerce. They generate corporate servers. They attack large DDoS traffic at many multiples of the numbers of enterprises, and demand most extreme peak rates seen on the high ransom payments, on a scale far Internet, which is concentrated on beyond anything seen even in the PC insured businesses. environment to date.

Cloud Service Provider Failure

A technical error leads to an outage at a leading cloud service provider, causing its customers to lose service for many hours until they are gradually reconnected. The outage is on a scale never experienced by a commercial CSP, in terms of proportion of its customers affected and reconnection times.

PAGE 25 PAGE 23 2017 Cyber Risk Landscape

SECTION 3 Silent Cyber Insurance Exposure

CAMS Version 1.0 focused on affirmative cyber insurance scenarios and identified loss processes from cyber attacks that target information technology (IT) systems such as databases, software, and websites.

It is also becoming apparent that there is potential for 3.1. Operational Technology (OT) Attacks cyber attacks to cause disruption and damage that Cyber attacks can cause property damage and could trigger insurance payouts in traditional non cyber- disruption when they are targeted on interfering with the specific lines of business. For example, if a cyber attack computerized systems that control physical processes, causes physical damage, destruction of property, fires or known as operational technology (OT) attacks. explosions, deaths, injuries, loss of services, or other harms that are covered in policies without excluding cyber as a There have been several examples of cyber attacks on OT, cause, then insurers could suffer losses under these policies. including: The policies in these lines of business may be silent on • “Stuxnet” is the most prominent example of a cyber whether they would pay out if cyber was the proximate attack causing physical damage to centrifuges that cause. “Silent” exposure to the peril of cyber is a growing separate nuclear materials.80 concern. Many insurers have instigated reviews of the lines • Researchers demonstrated that a cyber attack on a of business that may contain silent exposure to identify 2.25 megawatt (MW) electricity generator could ambiguities in the terms and conditions of policies, and to cause physical damage to the unit. The vulnerability identify the amount of risk that this may represent. in the generator software was called “Aurora.”81 This CAMS Version 2.0 contains an additional suite of scenarios vulnerability not only has the potential to cause that enable an insurer to review the exposure it may face damage to the generator and surrounding buildings from silent coverages in other lines of insurance business, from fire, but also a lengthy blackout that could described on page 28. These scenarios enable insurers to cause significant business interruption.82 identify potential losses from lines of business including • A cyber attack on Ukrainian power companies property – commercial and residential – marine, energy, caused a power outage for thousands of customers industrial, facultative, specialty, casualty/liability, and other for several hours in December 2015, and another lines. suspected event in December 2016 (see page 30).83 • Iranian hackers gained remote access to a 20-foot dam north of New York City in 2013.84 While no damage was done, this attack demonstrates the potential vulnerability of critical national infrastructure to cyber attacks.

80 Zetter, 2014. 81 Meserve, 2007. 82 See CCRS report on Lloyd's Business Blackout Scenario, 2015. 83 ICS-CERT, 2016. 84 Strohm, 2016.

PAGE 27 Silent Cyber Insurance Exposure

3.2 Smart Devices and the Internet of Things cybersecurity, and this may prove influential in improving the security standards of IoT devices in the future. There is a concern about potential attacks on various Improvements in security are unlikely to occur rapidly, so types of physical control systems that can be controlled society and insurers may have to accept vulnerabilities in electronically, particularly where they are connected these systems and their potential for use in cyber-physical to networks and could be accessed by unauthorized attacks for some time to come. third parties. These smart devices and “cyber-physical” systems85 consist of a wide range of sensors, actuators, valves, switches, mechanical devices, and electronic 3.3 .How Can Cyber Attacks Cause Physical controls sometimes known as supervisory control and data Damage? acquisition (SCADA) systems, and perhaps most crucially Examples have been seen of using cyber attacks in several in industrial control systems (ICS). Many electronic systems ways to trigger physical damage. They broadly follow the now contain elements of connectivity for diagnostic following types of interference processes. read-outs, upgrading and programming uploads, data transmission, and signal processing. Spoofing – Sending False Data to a Sensor

The proliferation of devices that are connected to the When a sensor is vital to the safe performance of a Internet has given rise to the term the “Internet of Things” system, spoofing the sensor can trick the system into (IoT). This is also described as “the infrastructure of the unsafe activities. An example would include thermostat information society.” It is estimated that there are currently readings that normally prevent a process overheating, so by around 28 billion devices connected to the Internet, and spoofing the thermostat, the system could be forced into various projections suggest that the number could reach overheating. Other examples would include spoofing GPS 50 billion by 2020.86 The number of devices connected to interpretation, electronic map systems, or beacons that the Internet is currently increasing by 30 percent year-on- guide aircraft navigation systems. Sending false data can year.87 There are many studies that describe the growing potentially be a damaging attack mechanism. potential for the transformative power of IoT including Hysteresis – Forcing Cyclical Behavior smart grids, smart homes, intelligent transportation, and smart cities. Once an unauthorized hacker has control of a physical system, damage can sometime be caused by forcing It is evident that the IoT has significant vulnerability the system to start and stop in rapid cycles. This causes to malicious manipulation. The increasing ubiquity of machinery to wear out, damage bearings and misalign, connected devices causes concerns for the insurance overheat, blow electrical fuses, and potentially trigger exposure that it could potentially represent. Connected and uncontrolled positive feedback. The “Aurora” vulnerability in smart devices are a growing part of the everyday world power generators and thermal runaway in lithium batteries and cybersecurity issues have been raised around products are examples of hysteresis damage in cyber-physical varying from household appliances, industrial process attacks. control systems, building heating and ventilation systems, webcams, drones, autonomous cars, medical devices and Disconnection – Stopping the Function of a Device heart pacemakers, and entertainment systems. Simply preventing a physical system from connecting to Many of these systems were originally designed with poor its control system may be enough to cause damage and attention to security, and have relatively low levels of anti- loss. A denial of service attack on a system that requires hacking protection. This is likely to change over time as connectivity to operate can shut down a process. Examples manufacturers are held to higher standards of security, but include disabling a building management system with a low costs and volumes of products constrain the levels of DoS attack; by making it unable to connect to the Internet protection that can be expected. The January 2017 filing it was unable to start a heating system for an apartment by the United States Federal Trade Commission against building.89 the D-Link Corporation88 because its devices were used Draining the battery of a device by forcing it into constant in the Dyn attack (see page 21) is the first example of a activity is also a method for causing the failure of lawsuit against a manufacturer of IoT devices for poor connected battery-powered systems.

85 Loukas (2015). 86 Statistica, 2017. 87 Gartner, 2015, reports 6.4 billion connected devices in 2016, up 30 percent from 2015. 88 FTC, 2017. 89 SC Media, 2016.

PAGE 28 2017 Cyber Risk Landscape

Actuators – Controlling Physical Components Actuators open and close valves, lock and unlock doors, control robot arms, change the pitch of ailerons, drive car accelerators, apply brakes, and control many other processes. The remote control of actuators has significant potential to cause damage, either by preventing them from operating or causing them to operate unsafely. Cyber attacks have opened valves and manipulated pumps to maliciously release water, sewage, and gas supplies, for example. There is obvious potential for deliberate accidents to be caused in transportation systems, manufacturing, industrial processes, and other systems where remotely- managed actuators are an integral part of the operation. Industrial and manufacturing systems tend to have security systems and fail-safe mechanisms, but these may not have always been designed against malicious intent, and determined hackers have found ways to penetrate even well-designed security systems.

3.4 Cyber-Physical Attack Scenarios in RMS CAMS Version 2.0

The greatest concerns for insurers are the potential for cyber-physical attacks to trigger fires, explosions, or to cause major industrial accidents or system failures that could lead to large losses or systemic claims across multiple insureds. Cyber Insurance Exclusions Cyber-physical attacks have the potential to cause claims Many exclusion clauses have been developed for on traditional policies that do not explicitly exclude cyber as a proximate cause, but include the consequential perils traditional general liability and property policies to help of fire and explosion, water escape, or other destructive insurers prevent loss accumulation from cyber events. processes. Lines of business that could potentially be Two of the exclusions (CL 380 and LMA 3030) prevent impacted include marine, aviation, energy, casualty liability, claims from cyber events committed with malicious and property. intent or deemed acts of war, while NMA 2912, 2914, and 2915 exclusions prevent property damage claims from RMS CAMS Version 2.0 includes an additional suite of scenarios, listed on page 31, that can be used by insurers to cyber events unless caused by fire or explosion. test their exposure to cyber-physical attacks and identify their silent exposure in policies in several lines of business, including commercial and residential property, marine cargo, industrial facilities, offshore energy, and a variety of other lines impacted by cyber-induced power outage scenarios.

PAGE 29 Cyber Insurance Update

Cyber Attack on Ukrainian Power Grid

On December 23, 2015, three regional Ukrainian government officials blamed Kiev substation grid, which caused electricity distribution companies in Russian security services for the a 75-minute outage for the northern Ukraine reported service outages to incident.92 part of Kiev in December 2016, during an estimated 225,000 customers.90 one of the colder months in Ukraine.93 The event has highlighted the potential The outages were caused by external for OT cyber attacks and the RMS CAMS Version 2.0 includes a agencies that delivered malware via vulnerability of national critical suite of accumulation scenarios of a phishing attack, gaining access infrastructure, a threat that is potential OT attacks for insurers to the companies’ computers and being taken seriously by Western to manage their silent OT cyber remotely controlling the industrial governments and national exposures. control systems (ICS) to disconnect cybersecurity agencies worldwide. the substation power breakers, disabling power supply. At least 30 Investigators are reviewing another 110kV and 35kV substations were suspected cyber attack on the disconnected for three hours.91 SCADA systems of the 330 kW

90 ICS-CERT, 2016. 91 Lee, Asante and Conway, 2016. 92 Zetter, 2016. 93 Constantin, 2016.

PAGE 30 2017 Cyber Risk Landscape

Scenarios added in CAMS Version 2.0

Cyber-Induced Fires ICS-Triggered Fires Regional Power Outage in Commercial in Industrial from Cyber Attack on Office Buildings Processing Plants U.S. Power Generation

Hackers exploit vulnerabilities in the External saboteurs gain access to A well-resourced cyber team smart-battery management system the process control network of large introduces malware into the control of a common brand of laptop, processing plants, and spoof the systems of U.S. power generating sending their lithium-ion batteries temperature and pressure set points companies that creates de- into a thermal runaway state. The of the ICS, causing heat-sensitive synchronization in certain types of attack is coordinated to occur on processes to overheat and ignite generators. A sufficient number of a specific night. A small proportion flammable materials in storage generators are damaged to cause of the infected laptops left on facilities. Insurers face sizeable claims a cascading regional power outage charge overnight then overheat and for fire and explosions at several that is complex to repair. Restoration catch fire; some unattended fires in major industrial facilities in their large of power to 90 percent of customers commercial office buildings spread accounts and facultative portfolios. takes two weeks. Insurers face claims to cause major losses. Insurers face in many lines of business, including claims for a large number of fires large commercial accounts, energy, in their commercial property and PCS-Triggered homeowners, and specialty lines. homeowner portfolios. Explosions on Oil Rigs The scenario is published as a Lloyd’s Emerging Risk Report “Business Blackout” by Cambridge Centre for A disgruntled employee gains access Risk Studies, and was released in RMS Cyber-Enabled Marine to a network operations center (NOC) CAMS Version 1.1. Cargo Theft from Port controlling a field of oil rigs and manipulates several of the platform control systems (PCS) to cause Cyber criminals gain access to a port Regional Power Outage management system in use at several structural misalignment of wellheads, from Cyber Attack on major ports. They identify high-value damage to several rigs, release of oil U.K. Power Distribution cargo shipments and systematically and/or gas, and fires. At least one switch and steal containers passing platform has a catastrophic explosion. A nation state plants “Trojan Horse” through the ports over many months. Insurers face significant claims to rogue hardware in electricity When the process of theft is finally multiple production facilities in their distribution substations and discovered, the hackers scramble offshore energy book. activates it remotely to curtail the data in the system, disabling the power distribution and cause rolling ports from operating for several days. blackouts intermittently over a multi- Insurers face claims for cargo loss week campaign. Insurers face claims and business interruption in their in many lines of business, including marine lines. large commercial accounts, energy, homeowners, and specialty lines. The scenario is published as “Integrated Infrastructure: Cyber Resiliency in Society” by the Cambridge Centre for Risk Studies, and was released in RMS CAMS Version 1.1.

PAGE 31 Cyber Insurance Update

PAGE 29 2017 Cyber Risk Landscape

SECTION 4 What’s New in RMS CAMS Version 2.0

The cyber risk landscape is changing dramatically, and the insurance industry is reacting quickly with adaptations of its products and services to help its insureds with the protection they need and to meet the growing demand. RMS is serving our insurance clients by keeping abreast of this dynamic peril and providing analytical tools for managing accumulations of cyber exposure.

4.1 Updates of Affirmative Cyber Insurance Cloud Service Provider Failure Accumulation Scenarios Cloud Compromise Version 2 stress test scenarios have Data Exfiltration been updated to incorporate the substantial growth in cloud usage by companies, the increasing domination of The revised Data Exfiltration Version 2 scenarios reflect the the market by the big four providers, and the restructuring increase in the number of large data sets being targeted of the cloud service provider (CSP) infrastructure that by professional criminals and the systemic nature of is being developed and expanded to meet this growth. multiple large-magnitude data thefts that could occur Outages are analyzed by restoration curves: the proportion if cyber penetration toolkits, such as those released of customers reliant on regions and availability zones in by ShadowBrokers, find their way into criminal hands. the CSP’s architecture who have services reconnected The shifting targeting pattern of criminals stealing data over time. These are updated to reflect the potential from different business sectors is reflected in the new for complex technical failures to deprive customers of scenario footprints. An important new enhancement is their cloud functionality for periods of time and the the differentiation in the scenario suite among different zonal dependencies of the CSP customer base. Insurers types of personal data, with the addition of separate are encouraged to capture CSP information about their stress test scenarios for personal identifiable information insureds in the CAMS system to improve their exposure risk (PII), payment card information (PCI), and personal health management. information (PHI). The scenarios have been updated to reflect the trend of increasing costs and the emerging Denial of Service Attacks picture of international incidence rates and relative costs. The updating of Mass DDoS Version 2 scenarios Financial Theft incorporates the increase in DDoS firepower that has become available to attackers through harnessing IoT The updates of the Financial Transaction Interference devices and includes new intensity levels for attacks. The Version 2 stress test scenarios incorporate the lessons from maximum volume of attacks in the stress test scenario is the SWIFT cyber heist in confirming the potential for a now informed by analysis of the total firepower that could single campaign to steal large financial sums from multiple be obtained by a campaign that succeeded in harnessing all financial services providers. The stress test suite is updated devices available on the Internet. The targeting pattern of to incorporate larger campaigns than those seen to date. DDoS attackers reflects recent patterns of targeting as well The loss magnitude scale is extended to incorporate larger as those that would have the most severe impacts on cyber losses per bank and reflects the significant improvements in insurance portfolios. security being implemented in the networks of trust being used by the financial services community.

PAGE 33 What’s New in RMS CAMS Version 2.0

4.3 Cyber-Physical Attack Scenarios

To respond to client demand for stress tests for silent The shifting targeting cyber exposure in other lines of business, CAMS Version 2 provides a suite of cyber-physical attack scenarios. These pattern of criminals are described above (see page 31), and more detailed stealing data from technical specifications are available to clients.

different business 4.4 Improvements in Functionality sectors is reflected RMS CAMS Version 2.0 has been rebuilt on a new software platform to improve the ability to add future features and in the new scenario functionality. It incorporates a new user interface designed to help clients in their workflows and incorporates footprints. additional report generation to aid risk management decision making.

Cyber Extortion Stress test scenarios for the Cyber Extortion Version 2 RMS CAMS Version 2.0 Scenarios now include incidence of extortion on larger companies as seen in the past year as part of a systemic campaign with ransom payment amounts recalibrated to recent experience. The targeting incorporates the recent trend of targeting the healthcare sector. Business interruption consequences have been expanded to reflect evidence of the impact of extortion events. Cyber-Induced ICS-Triggered Fires in Commercial Fires in Industrial Office Buildings Processing Plants 4.2 Expected Loss Baselines

In addition to stress test scenarios, RMS CAMS Version 2 introduces an expected loss baseline for U.S. businesses for data exfiltration. Data exfiltration accounts for a large proportion of the insurance costs of typical affirmative cyber insurance products. The data exfiltration expected Cyber-Enabled PCS-Triggered Marine Cargo Theft Explosions on loss baseline provides average annual industry loss from Port Oil Rigs values, before insurance is applied, for incidence rates of different magnitudes of data exfiltration events by business sector and company size. It enables clients to benchmark their own loss experience to industry averages, to set expected loss levels and burn rate assumptions, and to explore potential market expansion strategies for safe diversification of new business. Regional Power Regional Power Outage from Cyber Outage from Cyber The expected loss baseline is calibrated from the Attack on U.S. Attack on U.K. Power Generation Power Distribution historical average annual incident rates experienced in U.S. businesses over the past six years. We augment this to apply cost levels that are trended to estimate likely claims values for 2017/18. This provides a portfolio-specific estimation of burn rate for data exfiltration incidents for cyber insurance accounts across businesses of different sectors and sizes, if incident rates continue their historical average levels.

PAGE 34 Cyber Insurance Update

PAGE 33 2017 Cyber Risk Landscape

SECTION 5 Cyber Insurance Market Update

As a result of the new pressures in the cyber risk landscape, the insurance industry has continued to evolve and grow.

5.1 Rapid Growth • Strong growth from other sectors: Currently, cyber insurance take-up is largely within a relatively The global cyber insurance market continues to experience concentrated set of business sectors, but cyber strong growth. The affirmative cyber insurance market insurance premium growth is expected to become is estimated to have increased in premium volume from more mainstream, with take-up from more sectors around $2 billion in 2015 to up to $3.5 billion in 2016. The outside of this current core. large majority of this insurance is purchased in the U.S. and is focused on cover against breach of privacy. • New regulations to drive international demand: With most cyber premiums currently generated in Several analysts forecast the market growing rapidly, with the U.S., growth is likely to accelerate in non-U.S. some predictions stating that the global cyber insurance markets driven by new regulatory requirements. market will reach $7.5 billion by 2020.94 Others predict One such area of growth will be the European Union estimates of over $20 billion by 2025.95 (EU) where EU-wide legislation for cybersecurity Even the more conservative growth forecasts expect annual is due to be ratified during 2018. The EU directive cyber premium growth rates of over 20 percent. With the sees providers of critical infrastructure and essential context of a wider P&C soft market, many insurers are physical and digital services adopting strengthened making cyber insurance a key area of focus. cyber defense measures, along with heightened reporting requirements for security incidents. The current drivers of cyber insurance premium growth are: • Existing customers purchasing greater limits and 5.2 Market Participants additional coverages: In business sectors where customers have already purchased cyber insurance, The growing market is attracting an increasing number of customers are looking for more cover, increasing market participants. More than 50 companies now offer their limits, and adding further coverages, such as affirmative cyber policies, up from around 35 in 2015, a 43 business and contingent interruption, to complement percent increase. the breach of privacy coverage they already have. Most of the cyber insurance premium written today • Strong growth from small and mid-sized (SME) originates from around ten of the largest cyber writers, who companies: Many SMEs are required to purchase each write more than $100 million of premiums annually; cyber insurance, which is a common stipulation a similar number are writing between $25-$100 million. under the terms and conditions when SMEs work Most of the market participants are responsible for writing with other companies. More SMEs are now aware less than $25 million in annual cyber insurance premiums, of the cyber risk posed, their obligation to their and typically represent newer entrants who are gaining customers, and the availability of appropriate experience in the market with low exposure.96 insurance coverage.

94 PWC, 2015. 95 Allianz. 96 The Betterly Report, 2016.

PAGE 36 Cyber Insurance Market Update

In addition, more insurers are integrating cyber cover in find a product that matches their exposure. the policies of their traditional business lines. This increase While the existing types of cyber coverage available in the number of market entrants, together with extension has remained broadly consistent, RMS has seen that of cyber into traditional policies, both present significant more insurers are now offering network service liability, challenges to cyber risk management. regulatory defense costs, and business interruption Most cyber premiums still originate from the U.S. where coverage. There has also been a decline in the number of data privacy laws have been in place for over 10 years, insurers offering intellectual property (IP) theft, directors though an increasing amount of cyber risk is being written and officers insurance, and contingent business interruption internationally, with the London market making a significant coverage. play to increase its cyber expertise.97 Several new affirmative cyber insurance products were For reinsurance, though the market for cyber is launched in the market during 2016, with existing market comparatively small, reinsurers are playing an active role in players extending the range of products they offer, as well increasing the capacity available for the primary carriers. as new market entrants. Most reinsurance being written today is placed as per-risk An increasing number of insurers now offer breach quota share, with some agreements having an aggregate response services alongside their insurance offerings. stop loss term in place. There is a move towards excess of Having an established incident response plan and team in loss agreements; however this is still a nascent market for advance of any data breach reduces the average breach cyber and RMS expects per-risk agreements to remain as costs by as much as $16 per record.98 the mainstay for 2017.

The reinsurance market is expected to continue to grow Increasing Limits Being Purchased as the primary market increases and insurers look to cede Insurers are making more limit available, and insureds are out a portion of the risk. Improved cyber exposure data purchasing cover to higher levels. Limits purchased are capture techniques and improved risk quantification is reported to have increased by more than 10 percent in the also expected to lead to additional forms of reinsurance past year, with the average cyber insurance limit passing becoming more commonplace. US$20 million for the first time in the third quarter of 2016.99

5.3 Available Insurance Coverage 5.4 Cyber Risk Management Practices

Cyber insurance products and coverages are likely to evolve A combination of factors, from the evolution and increasing over time, as this area attracts more focus from corporate prevalence of cyber risk, through to growing regulatory risk management functions. interest, is driving insurers to focus on improving cyber risk management practices. Wide Variety of Available Coverage As part of its market review, RMS explored the types of Data Standards cyber coverage being offered by re-examining the range RMS has worked with many of the cyber market leaders of cyber policies currently available. This assessment over the past year, and during that time we have seen a revealed that the 19 coverage categories outlined in the big improvement in the quality and completeness of data RMS Cyber Exposure Data Schema generally continued to capture. RMS and the industry are continuing to emphasize be consistent with the range of coverage available on the data standard initiatives, but data continues to be a market. significant issue in the market. Issues include missing data attributes, and inconsistencies in recording and usage. It is evident that the insurance industry is slowly taking steps towards standardization around specific coverage Underwriting and Risk Selection Processes terms, but variations in coverage among products Underwriting and risk selection techniques continue to be continues to be prevalent. RMS research shows that for highly varied across the market. Many companies are taking the second year in a row, only two reviewed products actuarial approaches to extrapolate from historical trends. offered the same mix of coverages. This lack of product Given the limited presence of large “tail” events, insurers standardization continues to pose a challenge for are adding a significant load onto premiums to account companies looking to navigate the cyber insurance market, for the large uncertainty leading to high prices. Many making it difficult to conduct product comparisons or to other companies are buying their experience in the market through consortiums or by taking small lines on bigger risks. 97 Lloyd's Report. 98 2016 Cost of Data Breach Study, Ponemon Institute and IBM. 99 Marsh, 2016.

PAGE 37 2017 Cyber Risk Landscape

Percentage of policies o‘ering coverage

Breach of privacy event

Network service failure liabilities

Regulatory/defense coverage

Incident response costs

Cyber extortion

Business interuption

Data and software loss

Multimedia liabilities (defamation, disparagement)

Reputational damage

Liability (errors and omissions)

Contingent business interuption

Financial theft and fraud

Liability (professional lines, contract)

Physical asset damage

Death and bodily injury

Liability (general)

Cyber terrorism

Intellectual property (IP) theft

Environmental damage

Liability (directors and o‚cers)

0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%

2015 2016

Figure 8. Change in proportion of cyber-affirmative policies on the market offering different types of coverage, comparing 26 products in 2015 to 50 products in 2016

PAGE 38 Cyber Insurance Market Update

For the first time, this is enabling a more consistent view of the risk and a more efficient use of capital across the The reinsurance market market.

is expected to continue 5.5 Insurance Regulations to grow as the primary Regulators have made significant steps to push the insurance industry towards better cyber risk management.

market increases and In the London market in 2016, Lloyd’s has taken an active role by adding cyber scenarios to the mandatory reporting insurers look to cede requirements of their managing agents. out a portion of the risk. The U.K. financial services regulator, the Prudential Regulatory Authority (PRA), has begun instigating regulatory approaches for insurers to improve their management of cyber risk, with a supervisory statement for consultation highlighting preferred best practices. As the market continues to grow, and the risk landscape RMS was pleased to be able to contribute scenarios for shifts, RMS expects to see continued price volatility. the Lloyd’s RDS requirement, and to provide inputs to the An increasing trend has been toward companies leveraging PRA’s regulatory best-practice consultation. Cyber Hygiene Scores as a method of quantifying the The U.S. National Association of Insurance Commissioners IT security maturity of a company. While undoubtedly (NAIC) has convened a task force for cybersecurity to a valuable tool, RMS would encourage organizations create model laws that will provide minimum standards for relying on these types of products to fully understand the insurance company security. The model laws will also spell underlying factors that go into these scores. out how insurance departments will monitor companies’ Accumulation Management cybersecurity practices. NAIC also commissioned a data call on types of policies and relative premium sizes being Managing the accumulations of risk in a cyber portfolio underwritten in the private market. is one of the key challenges of growing a resilient cyber insurance portfolio. With the growth in cyber insurance U.S. rating agencies, such as AM Best, are not yet requiring and the corresponding increase in exposure, insurance quantitative analysis of cyber risk in their assessments but companies are increasingly focused on managing their have added questions about a company’s preparedness portfolio accumulation risk. Where cyber is added to other and disaster plan for responding to cyber attacks as part of lines, this is often intended rather than “silent,” but insurers assessing an overall enterprise risk management framework. are concerned that it may not be adequately priced and constrained by soft market conditions and limited historical data.

Exposure management is challenging for cyber, as correlations of cyber risk are complex. The more mature cyber insurers have developed cyber stress tests over the last few years to assess their probable maximum loss to cyber catastrophes. These scenarios vary in their sophistication, ranging from a simplistic approach through to the construction of complex systems with the assistance of outside expertise.

Newer cyber market entrants, without the historical experience to effectively price and manage cyber, have taken a conservative approach, with many using exposed limit as a measure of cyber catastrophe potential. But this is changing. Driven by regulatory pressures as well as the availability of commercial solutions such as RMS CAMS, more companies are adopting an integrated approach to establish their cyber risk appetite.

PAGE 39 2017 Cyber Risk Landscape

5.6 The RMS Commitment to the Future

As the economy increasingly relies on the digital world to drive innovation and foster growth, the transfer of cyber risk will become more critical for businesses. This new type of risk transfer offers the insurance industry a huge growth opportunity – one which RMS is committed to helping insurers capitalize on.

The information in this report will provide you with the knowledge to better understand cyber risk and how it impacts the insurance market. It also helps demonstrate the great steps the industry is taking to provide coverage of this important peril to the economy.

The RMS commitment to the future of cyber security will continue, as the RMS cyber risk team works to develop and provide the analytical tools, newest technologies, and models the insurance industry needs to address emerging and evolving global cyber and terrorism threats. These will enable us to provide valuable insights into the evolving cyber landscape; identify the type of attacks to expect and how far-reaching they might be; anticipate the shifts in target preferences; and state the potential for cyber to trigger physical damage.

We look forward to a continued partnership with our clients in the development of a cyber insurance market that serves the enterprises at risk, and enables insurers to understand and diversify portfolio risk, while managing your capital adequacy.

PAGE 40 References 2017 Cyber Risk Landscape

References Digital Trends, 2015, “DoS Attacks hit Record Numbers in Q2 2015,” August 19, 2015. DiRenzo, J., Goward, D. and Roberts, F., “The Little-known Challenge of Maritime Cyber Security,” Rutgers University, November 2015.

Advisen, “Cyber Risk Trends: 2016 Year in Review.” 24 January 2017, Advisen Webinar. DLA Piper, “Data Protection Laws of the World,” 2017. Quarterly Security Reports, Q3, 2016.

Akamai, 2015. Quarterly Security Reports, Q3 2015. Emm, D., Unuchek, R. and K. Kruglov, “Kaspersky Security Bulletin 2016: Review of the Year.”

Akamai, 2016. Quarterly Security Reports, Q3 2016. Entous, A. and E. Nakashima, E., “FBI in agreement with CIA that Russia aimed to help Trump win White House,” Washington Post., December 16, 2016. Ali, M.A., Arief, B., Emms, M., van Moorsel, A., “Does The Online Card Payment Landscape Unwittingly Facilitate Fraud?” Gartner, 2015, “Value and Impact of IoT on Business,” Symposium/ITxpo, November 8-12, Barcelona, Spain. Allianz, 2015, Cyber Risk 2015 – the next 10 years, Allianz Insights, Expert Risk Articles. FBI IC3, 2016, 2015 Internet Crime Report; Internet Crime Complaint Center, Federal Bureau of Investigation; US Bureau of Arnold, M., “Tesco Bank ‘ignored warnings’ about cyber weakness.” Financial Times. November 13, 2016. Justice Assistance.

Ashok, I., “Tesco Bank under investigation for possibly ignoring warning of potential cyberattack.” International Business Times, Finkle, J. and A. G. Tharakan, “Yahoo says one billion accounts exposed in newly discovered security breach,” Reuters, November 28, 2016. Technology News, December 15, 2016.

Assante, M. and R. Lee., “The Industrial Control System Cyber Kill Chain,” SANS Institute, October 2015. Forbes Tech, 2016, “Here’s How Much Businesses Worldwide Will Spend on Cybersecurity by 2020,” Market Intelligence, October 13, 2016. AWS, 2017, AWS Global Infrastructure, Amazon Web Service, January 2017. Forbes, 2015, “J.P. Morgan, Bank of America, Citibank And Wells Fargo Spending $1.5 Billion To Battle Cyber Crime,” December Bakir, N. (2007), A Brief Analysis of Threats and Vulnerabilities in the Maritime Domain, Create Research Archive, Los Angeles, 13, 2015. USA: Create Homeland Security Center, pp.1-30. Forbes, 2016, “Bank of America's Unlimited Cybersecurity Budget Sums Up Spending Plans In A War Against Hackers,” January Bateman, T., (2013), Police warning after drug traffickers' cyber-attackcyber attack - BBC News, [online] BBC News. 27, 2016. Beazley Breach Insights Report, January 2017. Forrester, 2015, Sherman et al., Forrester Research Data Privacy Heat Map 2015, FTI Consulting, October 13, 2015. Betterly, Richard S., The Betterly Report: Cyber/Privacy Insurance Market Survey, June 2016. Fox-Brewster, Thomas, “Shadow Brokers Give NSA Halloween Surprise With Leak Of Hacked Servers,” Forbes, October 31, 2016. CCRS, 2015, Lloyd's Business Blackout Scenario, Cambridge Centre for Risk Studies and Lloyd’s, June 2015. FTC, 2017, “FTC Charges D-Link Put Consumers’ Privacy at Risk Due to the Inadequate Security of Its Computer Routers and CCRS, 2016a, Cyber Insurance Exposure Data Schema Version 1.0, Cambridge Centre for Risk Studies and Risk Management Cameras,” Federal Trade Commission, January 5, 2017. Solutions, Inc. January 2016. Gartner, “Gartner Says Worldwide PC Shipments Declined 8.3 Percent in Fourth Quarter of 2015,” Gartner Newsroom, January CCRS, 2016b, Managing Cyber Insurance Accumulation Risk, Cambridge Centre for Risk Studies and Risk Management 12, 2016. Solutions, Inc. February 2016. GDPR Key Changes. CCRS, 2016c, Integrated Infrastructure: Cyber Resiliency in Society, Cambridge Centre for Risk Studies and Lockheed Martin, Greenberg, A., “Hackers Claim to Auction Data They Stole From NSA-Linked Spies,” Wired, August 15, 2016. January 2016. Grimes, Roger, A., 2012, “Why Internet crime goes unpunished,” InfoWorld, January 10, 2012. CERT, “The Shadow Brokers auctions cyber weapons from Equation Group,” TLP: White, Version 1.5, August 26, 2016. Gupta, R., “The Panama Papers Signal A New Kind of Cyber Attack,” Fortune, July 28, 2016. Chen, K., “Reversing and Exploiting an Apple Firmware Update.” ICS-CERT, “Alert (IR-ALERT-H-16-056-01): Cyber-AttackCyber attack against Ukrainian Critical Infrastructure,” February 26, 2016. Collette, M. L. Olsen and J. Malewitz, “Ten years after a Texas City refinery blast killed 15 and rattled a community, workers keep dying,” Houston Chronicle, March 21, 2015. InfoSEC Institute, “Panama Papers – How Hackers Breached the Mossack Fonseca Firm,” April 20, 2016.

ComputerWeekly, 2015, “Mandarin Oriental hack highlights security risk of legacy point of sale systems,” Warwick Ashford, Investor’s Business Daily News, 2016, “Security Freeze: Giants IBM, Cisco 'Squeeze' Palo Alto, Check Point,” 6/10/2016. March 6, 2015. Karvets, D., “Feds: Hacker Disabled Offshore Oil Platforms’ Leak-Detection System,” March 18, 2009. ComputerWeekly, 2016, “Data breach hits Hilton Worldwide hotel chain,” Warwick Ashford, November 25, 2016. Kaspersky, “Energetic Bear – Crouching Yeti.” Constantin, L., “Cyberattack suspected in Ukraine power outage,” PC World, December 20, 2016. Keane, J., “Apple Gains Notebook Market Share in 2015, Can’t Top HP and Lenovo,” Digital Trends, February 16, 2016 Constantin, L., “Hackers found 47 new vulnerabilities in 23 IoT devices at DEF CON,” CSO, September 13, 2016. Klahr, R., Amili, S., Shah, J.N., Button, M., Wang, V., “Cyber Security Breachers Survey 2016,” HM Government, Ipsos MORI and Costin, A., Zaddach, J., Francillon, A., Balzarotti, D., “A Large-Scale Analysis of Security of Embedded Firmwares,” 23rd USENIX University of Portsmouth, May 2016. Security Symposium. Kramek, J. (2013), “The critical infrastructure gap: U.S. Port Facilities and Cyber Vulnerabilities,” Washington D.C.: Brookings Cox, J.W., “MedStar Health turns away patients after likely ransomware cyberattack,” The Washington Post, March 29, 2016. Institution, pp.1-35.

Cui, A., Costello, M., and S. J. Stolfo, “When Firmware Modifications Attack: A Case Study of Embedded Exploitation,” Columbia Lee, R. M. Assante and T. Conway, “German Steel Mill Cyber Attack,” SANS Industrial Control Systems, December 30, 2014. University. Lee, R., Assante, M. and T Conway. “Analysis of the Cyber Attack on the Ukrainian Power Grid: Defense Use Case,” TLP: White. CyberSecurity Ventures, 2016, CyberSecurity Market Report Q4 2016. Electricity Information Sharing and Analysis Center and SANS Industrial Control Systems, Washington D.C., March 18, 2016. Department for Transport, (2015), “Maritime Growth Study: Keeping the UK competitive in a global market. Moving Britain Ahead,” [online] London: The Department for Transport, pp.5-12.

PAGE 41 PAGE 40 References 2017 Cyber Risk Landscape

References Digital Trends, 2015, “DoS Attacks hit Record Numbers in Q2 2015,” August 19, 2015. DiRenzo, J., Goward, D. and Roberts, F., “The Little-known Challenge of Maritime Cyber Security,” Rutgers University, November 2015.

Advisen, “Cyber Risk Trends: 2016 Year in Review.” 24 January 2017, Advisen Webinar. DLA Piper, “Data Protection Laws of the World,” 2017. Quarterly Security Reports, Q3, 2016.

Akamai, 2015. Quarterly Security Reports, Q3 2015. Emm, D., Unuchek, R. and K. Kruglov, “Kaspersky Security Bulletin 2016: Review of the Year.”

Akamai, 2016. Quarterly Security Reports, Q3 2016. Entous, A. and E. Nakashima, E., “FBI in agreement with CIA that Russia aimed to help Trump win White House,” Washington Post., December 16, 2016. Ali, M.A., Arief, B., Emms, M., van Moorsel, A., “Does The Online Card Payment Landscape Unwittingly Facilitate Fraud?” Gartner, 2015, “Value and Impact of IoT on Business,” Symposium/ITxpo, November 8-12, Barcelona, Spain. Allianz, 2015, Cyber Risk 2015 – the next 10 years, Allianz Insights, Expert Risk Articles. FBI IC3, 2016, 2015 Internet Crime Report; Internet Crime Complaint Center, Federal Bureau of Investigation; US Bureau of Arnold, M., “Tesco Bank ‘ignored warnings’ about cyber weakness.” Financial Times. November 13, 2016. Justice Assistance.

Ashok, I., “Tesco Bank under investigation for possibly ignoring warning of potential cyberattack.” International Business Times, Finkle, J. and A. G. Tharakan, “Yahoo says one billion accounts exposed in newly discovered security breach,” Reuters, November 28, 2016. Technology News, December 15, 2016.

Assante, M. and R. Lee., “The Industrial Control System Cyber Kill Chain,” SANS Institute, October 2015. Forbes Tech, 2016, “Here’s How Much Businesses Worldwide Will Spend on Cybersecurity by 2020,” Market Intelligence, October 13, 2016. AWS, 2017, AWS Global Infrastructure, Amazon Web Service, January 2017. Forbes, 2015, “J.P. Morgan, Bank of America, Citibank And Wells Fargo Spending $1.5 Billion To Battle Cyber Crime,” December Bakir, N. (2007), A Brief Analysis of Threats and Vulnerabilities in the Maritime Domain, Create Research Archive, Los Angeles, 13, 2015. USA: Create Homeland Security Center, pp.1-30. Forbes, 2016, “Bank of America's Unlimited Cybersecurity Budget Sums Up Spending Plans In A War Against Hackers,” January Bateman, T., (2013), Police warning after drug traffickers' cyber-attackcyber attack - BBC News, [online] BBC News. 27, 2016. Beazley Breach Insights Report, January 2017. Forrester, 2015, Sherman et al., Forrester Research Data Privacy Heat Map 2015, FTI Consulting, October 13, 2015. Betterly, Richard S., The Betterly Report: Cyber/Privacy Insurance Market Survey, June 2016. Fox-Brewster, Thomas, “Shadow Brokers Give NSA Halloween Surprise With Leak Of Hacked Servers,” Forbes, October 31, 2016. CCRS, 2015, Lloyd's Business Blackout Scenario, Cambridge Centre for Risk Studies and Lloyd’s, June 2015. FTC, 2017, “FTC Charges D-Link Put Consumers’ Privacy at Risk Due to the Inadequate Security of Its Computer Routers and CCRS, 2016a, Cyber Insurance Exposure Data Schema Version 1.0, Cambridge Centre for Risk Studies and Risk Management Cameras,” Federal Trade Commission, January 5, 2017. Solutions, Inc. January 2016. Gartner, “Gartner Says Worldwide PC Shipments Declined 8.3 Percent in Fourth Quarter of 2015,” Gartner Newsroom, January CCRS, 2016b, Managing Cyber Insurance Accumulation Risk, Cambridge Centre for Risk Studies and Risk Management 12, 2016. Solutions, Inc. February 2016. GDPR Key Changes. CCRS, 2016c, Integrated Infrastructure: Cyber Resiliency in Society, Cambridge Centre for Risk Studies and Lockheed Martin, Greenberg, A., “Hackers Claim to Auction Data They Stole From NSA-Linked Spies,” Wired, August 15, 2016. January 2016. Grimes, Roger, A., 2012, “Why Internet crime goes unpunished,” InfoWorld, January 10, 2012. CERT, “The Shadow Brokers auctions cyber weapons from Equation Group,” TLP: White, Version 1.5, August 26, 2016. Gupta, R., “The Panama Papers Signal A New Kind of Cyber Attack,” Fortune, July 28, 2016. Chen, K., “Reversing and Exploiting an Apple Firmware Update.” ICS-CERT, “Alert (IR-ALERT-H-16-056-01): Cyber-AttackCyber attack against Ukrainian Critical Infrastructure,” February 26, 2016. Collette, M. L. Olsen and J. Malewitz, “Ten years after a Texas City refinery blast killed 15 and rattled a community, workers keep dying,” Houston Chronicle, March 21, 2015. InfoSEC Institute, “Panama Papers – How Hackers Breached the Mossack Fonseca Firm,” April 20, 2016.

ComputerWeekly, 2015, “Mandarin Oriental hack highlights security risk of legacy point of sale systems,” Warwick Ashford, Investor’s Business Daily News, 2016, “Security Freeze: Giants IBM, Cisco 'Squeeze' Palo Alto, Check Point,” 6/10/2016. March 6, 2015. Karvets, D., “Feds: Hacker Disabled Offshore Oil Platforms’ Leak-Detection System,” March 18, 2009. ComputerWeekly, 2016, “Data breach hits Hilton Worldwide hotel chain,” Warwick Ashford, November 25, 2016. Kaspersky, “Energetic Bear – Crouching Yeti.” Constantin, L., “Cyberattack suspected in Ukraine power outage,” PC World, December 20, 2016. Keane, J., “Apple Gains Notebook Market Share in 2015, Can’t Top HP and Lenovo,” Digital Trends, February 16, 2016 Constantin, L., “Hackers found 47 new vulnerabilities in 23 IoT devices at DEF CON,” CSO, September 13, 2016. Klahr, R., Amili, S., Shah, J.N., Button, M., Wang, V., “Cyber Security Breachers Survey 2016,” HM Government, Ipsos MORI and Costin, A., Zaddach, J., Francillon, A., Balzarotti, D., “A Large-Scale Analysis of Security of Embedded Firmwares,” 23rd USENIX University of Portsmouth, May 2016. Security Symposium. Kramek, J. (2013), “The critical infrastructure gap: U.S. Port Facilities and Cyber Vulnerabilities,” Washington D.C.: Brookings Cox, J.W., “MedStar Health turns away patients after likely ransomware cyberattack,” The Washington Post, March 29, 2016. Institution, pp.1-35.

Cui, A., Costello, M., and S. J. Stolfo, “When Firmware Modifications Attack: A Case Study of Embedded Exploitation,” Columbia Lee, R. M. Assante and T. Conway, “German Steel Mill Cyber Attack,” SANS Industrial Control Systems, December 30, 2014. University. Lee, R., Assante, M. and T Conway. “Analysis of the Cyber Attack on the Ukrainian Power Grid: Defense Use Case,” TLP: White. CyberSecurity Ventures, 2016, CyberSecurity Market Report Q4 2016. Electricity Information Sharing and Analysis Center and SANS Industrial Control Systems, Washington D.C., March 18, 2016. Department for Transport, (2015), “Maritime Growth Study: Keeping the UK competitive in a global market. Moving Britain Ahead,” [online] London: The Department for Transport, pp.5-12.

PAGE 39 PAGE 42 References 2017 Cyber Risk Landscape

Lewis, James A., 2012, “Cybersecurity, Threats to Communications Networks, and Private-sector Responses,” Testimony to Security, 2015, “47% of the World’s Credit Card Fraud Happens in the US,” June 1, 2015. House Committee on Energy and Commerce, Subcommittee on Communications and Technology, February 8, 2012, submission by Center for Strategic and International Studies. Starwood, 2016, Letter From Our President, January 22, 2016.

Loukas, George, 2015, “Cyber-Physical Attacks: A Growing Invisible Threat,” Butterworth-Heinemann, ISBN 978-0-12-801290-1. Statistica, 2017, IoT Number of Connected Devices Worldwide.

Los Angeles Times, 2016, “Hollywood hospital pays $17,000 in bitcoin to hackers,” FBI investigating, February 18, 2016. Strohm, C., “New York's Little Dam Sends Super-Sized Warning of Cyber-AttackCyber attacks,” Bloomberg Technology, March 20, 2016. Malwarebytes Lab, 2016, “Look Into Locky Ransomware,” March 1, 2016. Sullivan. B., “Amazon, Microsoft, IBM And Google Growing 30 Percent Faster Than Next 20 Cloud Providers,” Silicon, August 1, 2016. Marsh, Global Insurance Market Index, Q3 2016. Symantec Security Response, “SWIFT attackers’ malware linked to more financial attacks,” Symantec Official Blog, May 26, 2016. Meserv, J. “Staged cyber attack reveals vulnerability in power grid,” CNN, September 26, 2007. Temperton, J., “The Philippines election hack is 'freaking huge',” Wired, April 14, 2016. Miller, C. (a), “Battery Firmware Hacking: Inside the innards of a Smart Battery,” July 27, 2011. The Guardian, 2016, “Tesco cyber-raid raises serious questions over UK banks’ security,” November 12, 2016. Miller, C. (b), “Battery Firmware Hacking.” The Hacker News, 2016, World’s largest 1 Tbps DDoS Attack launched from 152,000 hacked Smart Devices; Sept 27, 2016. Millman, Rene, “How Vulnerable are Smart Buildings to Cyber Hacks?” IFSEC Global, March 29, 2016. The Merkle, 2016; “Muni First Targeted By Ransomware, Now Faces Extortion Demand By Same Hackers,” November 29, 2016. Moritz, S. and Womack, B., “Verizon Explores Lower Price or Even Exit From Yahoo Deal,” Bloomberg Technology, December 15, 2016. The Register, 2016, “National Cyber Security Centre to shift UK to 'active' defence: Cyber chief calls for 'offensive' weapons,” September 19, 2016. Murdock, J., “Turkey: Political hacktivist leaks 'citizen database' containing 50 million personal records,” International Business Times, April 4, 2016. U.S. Energy Information Administration (2016), “Commercial Buildings Energy Consumption Survey (CBECS) – 2012 CBECS Preliminary Results,” [Online]. NetworkWorld, 2015, “Which cloud providers had the best uptime last year?” Cloud providers are becoming more reliable, but some still had downtime issues,” Jan 12, 2015. United States District Court For the Central District of California February 2009 Grand Jury.

NetworkWorld, 2016, “And the cloud provider with the best uptime in 2015 is…Amazon’s cloud bests those of Microsoft and US Department of Energy, “Transforming the Nation’s Electricity System: The Second Installment of the Quadrennial Energy Google by this reliability test,” Jan 7, 2016. Review,” January 2017.

Newman, L.H., “What We Know About Friday’s Massive East Coast Internet Outage,” Wired, October 21, 2016. US Department of Homeland Security, National Cybersecurity and Communications Integration Center, ICS-CERT Year in Review, Industrial Control Systems Cyber Emergency Response Team, 2015. Oregon State University, “Lithium Battery Safety and Handling Guide,” Enterprise Risk Services, Environmental Health & Safety, December 2013. Van der Walt, C., “Four Lessons to Learn From the SWIFT Hacks,” Info Security, August 3, 2016.

ORF, 2016, Bundeswehr: Cyber security, the German way, Observer Research Foundation, Isabel Skierka, October 20, 2016. Williams, Katie, 2016, “Judges struggle with cyber crime punishment,” The Hill, 01/09/16.

Palmer, E., “Panama Papers: Simon Cowell and Jackie Chan among celebs named in Mossack Fonseca leak,” International Woolf, N., “DDoS attack that disrupted internet was largest of its kind in history, experts say,” The Guardian, October 26, 2016. Business Times., April 7, 2016. World Shipping Council, (2016a), “Global Trade | World Shipping Council,” [online] Worldshipping.org. Paul, “Industrial Control Vendors Identified in Dragonfly Attack,” The Security Ledger, July 4, 2014. World Shipping Council, (2016b), “Ports | World Shipping Council,” [online] Worldshipping.org. Paul, “Update: Let’s Get Cyberphysical: Internet Attack shuts off the Heat in Finland,” The Security Ledger, November 8, 2016. York, K., “Dyn Statement on 10/21/2016 DDoS Attack,” Dyn. Polityuk, P., Vukmanovic, O. and Jewkes, S., “Kiev power outage in December was cyber attack: Ukrenergo,” Reuters, Zetter, K., (2014), “Countdown to Zero Day: Stuxnet and the Launch of the World's First Digital Weapon,” New York, NY, USA: January 18, 2017. Crown Publishing Group. Positive Technologies, “Security Trends & Vulnerabilities Review: Industrial Control Systems,” 2016. Zetter, K., “Everything We Know About Ukraine’s Power Plant Hack,” Wired, January 20, 2016. PwC, 2015, “Cyber insurance market set to reach $7.5 billion by 2020,” September 15, 2015. Zetter, K., “That Insane, $81M Bangladesh Bank Heist? Here’s What We Know,” Wired, May 17, 2016. Rawlinson, K., “HP Study Reveals 70 Percent of Internet of Things Devices Vulnerable to Attack,” HP, July 29, 2014. Zetter, K., “Why Hospitals Are the Perfect Targets for Ransomware,” Wired, March 30, 2016. Response, S. S. (2014, 06 30), “Dragonfly: Western Energy Companies Under Sabotage Threat,” Retrieved February 11, 2015, from Symantec.

Richman, D., “Cloud computing revenues jumped 25% in 2016, with strong growth ahead, researcher says,” Geek Wire, January 4, 2017.

Rigzone, Worldwide Offshore Rig Utilization.

Riley, M. and Katz, A., “Swift Hack Probe Expands to Up to a Dozen Banks Beyond Bangladesh,” Bloomberg Technology.

Ronda, R. A., “NPC: Victims of data leak may file suit,” Philstar Global, January 8, 2017.

Rounela, S., “English summary about DDOS attacks,” Valtia, 2016.

SC Media, 2016, “Finns have their heating systems knocked offline by a DDoS attack,” November 9, 2016.

Security News Desk, “Securing critical infrastructure from virtual and physical threats,” November 24, 2016.

PAGE 43 PAGE 42 References 2017 Cyber Risk Landscape

Lewis, James A., 2012, “Cybersecurity, Threats to Communications Networks, and Private-sector Responses,” Testimony to Security, 2015, “47% of the World’s Credit Card Fraud Happens in the US,” June 1, 2015. House Committee on Energy and Commerce, Subcommittee on Communications and Technology, February 8, 2012, submission by Center for Strategic and International Studies. Starwood, 2016, Letter From Our President, January 22, 2016.

Loukas, George, 2015, “Cyber-Physical Attacks: A Growing Invisible Threat,” Butterworth-Heinemann, ISBN 978-0-12-801290-1. Statistica, 2017, IoT Number of Connected Devices Worldwide.

Los Angeles Times, 2016, “Hollywood hospital pays $17,000 in bitcoin to hackers,” FBI investigating, February 18, 2016. Strohm, C., “New York's Little Dam Sends Super-Sized Warning of Cyber-AttackCyber attacks,” Bloomberg Technology, March 20, 2016. Malwarebytes Lab, 2016, “Look Into Locky Ransomware,” March 1, 2016. Sullivan. B., “Amazon, Microsoft, IBM And Google Growing 30 Percent Faster Than Next 20 Cloud Providers,” Silicon, August 1, 2016. Marsh, Global Insurance Market Index, Q3 2016. Symantec Security Response, “SWIFT attackers’ malware linked to more financial attacks,” Symantec Official Blog, May 26, 2016. Meserv, J. “Staged cyber attack reveals vulnerability in power grid,” CNN, September 26, 2007. Temperton, J., “The Philippines election hack is 'freaking huge',” Wired, April 14, 2016. Miller, C. (a), “Battery Firmware Hacking: Inside the innards of a Smart Battery,” July 27, 2011. The Guardian, 2016, “Tesco cyber-raid raises serious questions over UK banks’ security,” November 12, 2016. Miller, C. (b), “Battery Firmware Hacking.” The Hacker News, 2016, World’s largest 1 Tbps DDoS Attack launched from 152,000 hacked Smart Devices; Sept 27, 2016. Millman, Rene, “How Vulnerable are Smart Buildings to Cyber Hacks?” IFSEC Global, March 29, 2016. The Merkle, 2016; “Muni First Targeted By Ransomware, Now Faces Extortion Demand By Same Hackers,” November 29, 2016. Moritz, S. and Womack, B., “Verizon Explores Lower Price or Even Exit From Yahoo Deal,” Bloomberg Technology, December 15, 2016. The Register, 2016, “National Cyber Security Centre to shift UK to 'active' defence: Cyber chief calls for 'offensive' weapons,” September 19, 2016. Murdock, J., “Turkey: Political hacktivist leaks 'citizen database' containing 50 million personal records,” International Business Times, April 4, 2016. U.S. Energy Information Administration (2016), “Commercial Buildings Energy Consumption Survey (CBECS) – 2012 CBECS Preliminary Results,” [Online]. NetworkWorld, 2015, “Which cloud providers had the best uptime last year?” Cloud providers are becoming more reliable, but some still had downtime issues,” Jan 12, 2015. United States District Court For the Central District of California February 2009 Grand Jury.

NetworkWorld, 2016, “And the cloud provider with the best uptime in 2015 is…Amazon’s cloud bests those of Microsoft and US Department of Energy, “Transforming the Nation’s Electricity System: The Second Installment of the Quadrennial Energy Google by this reliability test,” Jan 7, 2016. Review,” January 2017.

Newman, L.H., “What We Know About Friday’s Massive East Coast Internet Outage,” Wired, October 21, 2016. US Department of Homeland Security, National Cybersecurity and Communications Integration Center, ICS-CERT Year in Review, Industrial Control Systems Cyber Emergency Response Team, 2015. Oregon State University, “Lithium Battery Safety and Handling Guide,” Enterprise Risk Services, Environmental Health & Safety, December 2013. Van der Walt, C., “Four Lessons to Learn From the SWIFT Hacks,” Info Security, August 3, 2016.

ORF, 2016, Bundeswehr: Cyber security, the German way, Observer Research Foundation, Isabel Skierka, October 20, 2016. Williams, Katie, 2016, “Judges struggle with cyber crime punishment,” The Hill, 01/09/16.

Palmer, E., “Panama Papers: Simon Cowell and Jackie Chan among celebs named in Mossack Fonseca leak,” International Woolf, N., “DDoS attack that disrupted internet was largest of its kind in history, experts say,” The Guardian, October 26, 2016. Business Times., April 7, 2016. World Shipping Council, (2016a), “Global Trade | World Shipping Council,” [online] Worldshipping.org. Paul, “Industrial Control Vendors Identified in Dragonfly Attack,” The Security Ledger, July 4, 2014. World Shipping Council, (2016b), “Ports | World Shipping Council,” [online] Worldshipping.org. Paul, “Update: Let’s Get Cyberphysical: Internet Attack shuts off the Heat in Finland,” The Security Ledger, November 8, 2016. York, K., “Dyn Statement on 10/21/2016 DDoS Attack,” Dyn. Polityuk, P., Vukmanovic, O. and Jewkes, S., “Kiev power outage in December was cyber attack: Ukrenergo,” Reuters, Zetter, K., (2014), “Countdown to Zero Day: Stuxnet and the Launch of the World's First Digital Weapon,” New York, NY, USA: January 18, 2017. Crown Publishing Group. Positive Technologies, “Security Trends & Vulnerabilities Review: Industrial Control Systems,” 2016. Zetter, K., “Everything We Know About Ukraine’s Power Plant Hack,” Wired, January 20, 2016. PwC, 2015, “Cyber insurance market set to reach $7.5 billion by 2020,” September 15, 2015. Zetter, K., “That Insane, $81M Bangladesh Bank Heist? Here’s What We Know,” Wired, May 17, 2016. Rawlinson, K., “HP Study Reveals 70 Percent of Internet of Things Devices Vulnerable to Attack,” HP, July 29, 2014. Zetter, K., “Why Hospitals Are the Perfect Targets for Ransomware,” Wired, March 30, 2016. Response, S. S. (2014, 06 30), “Dragonfly: Western Energy Companies Under Sabotage Threat,” Retrieved February 11, 2015, from Symantec.

Richman, D., “Cloud computing revenues jumped 25% in 2016, with strong growth ahead, researcher says,” Geek Wire, January 4, 2017.

Rigzone, Worldwide Offshore Rig Utilization.

Riley, M. and Katz, A., “Swift Hack Probe Expands to Up to a Dozen Banks Beyond Bangladesh,” Bloomberg Technology.

Ronda, R. A., “NPC: Victims of data leak may file suit,” Philstar Global, January 8, 2017.

Rounela, S., “English summary about DDOS attacks,” Valtia, 2016.

SC Media, 2016, “Finns have their heating systems knocked offline by a DDoS attack,” November 9, 2016.

Security News Desk, “Securing critical infrastructure from virtual and physical threats,” November 24, 2016.

PAGE 41 PAGE 44 2017 Cyber Risk Landscape

Acknowledgements

Risk Management Solutions, Inc; 2017; Cyber Risk Landscape Update; report prepared by RMS in collaboration with the Centre for Risk Studies, University of Cambridge.

Risk Management Solutions, Inc Cambridge Centre for Risk Studies

Dr. Andrew Coburn, Senior Vice President Simon Ruffle, Director of Research and Innovation Dr. Christos Mitas, Vice President Jennifer Copic, Research Associate Tom Harvey, Senior Product Manager Kayla Strong, Research Assistant Peter Ulrich, Senior Vice President Shahzeb Malik, Research Assistant Dr. Gordon Woo, Catastrophist Éireann Leverett, Senior Risk Researcher Simon Bennet, Content Manager Dr Andrew Skelton, Research Associate Carol Hackett, Senior Graphic Designer Tamara Evan, Coordinating Editor Edwina Lister, Principal Consultant Ali Rais-Shaghagi, Research Assistant Chris Vos, Senior Consulting Analyst Professor Daniel Ralph, Academic Director Hicham Boudali, Senior Cyber Risk Modeler Dr. Michelle Tuveson, Executive Director Malik Awan, Cyber Risk Modeler Simon Arnold, Senior Manager John Agorgianitis, Modeler Gates Maus, Senior Consultant Kate Grove, Consultant Analyst

PAGE 45

RMS solutions help insurers, financial markets, corporations, and public agencies evaluate and manage risks throughout the world, promoting resilient societies and a sustainable global economy.

Risk Management Solutions, Inc. 7575 Gateway Blvd. Newark, CA 94560, USA www.rms.com

©2017 Risk Management Solutions, Inc. RMS is a registered trademark and the RMS logo is a trademark of Risk Management Solutions, Inc. All other trademarks are property of their respective owners.